Aletho News

ΑΛΗΘΩΣ

Outdated Electronic Privacy Laws Allow Police to Access Sensitive Data Without a Warrant

ACLU | December 9, 2013

WASHINGTON – Law enforcement requests for a variety of cellphone users’ data continued to surge in 2012, according to responses from the nation’s major cellphone carriers prompted by inquiries from Sen. Edward Markey (D-Mass.).

Last year alone, AT&T and T-Mobile documented 600,000 requests for customer information made by local, state, and federal law enforcement. Verizon, in its response to Sen. Markey’s request, said that police requests for customers’ call records have approximately doubled over the last five years. Often, no warrant is required to compel cellphone carriers to turn over their customers’ information to police.

“Have no doubt, police see our mobile devices as the go-to source for information, likely in part because of the lack of privacy protections afforded by the law,” said Christopher Calabrese, legislative counsel at the ACLU’s Washington Legislative Office. “Our mobile devices quite literally store our most intimate thoughts as well as the details of our personal lives. The idea that police can obtain such a rich treasure trove of data about any one of us without appropriate judicial oversight should send shivers down our spines.”

The companies’ responses to Sen. Markey’s office also show that law enforcement conducts real-time surveillance of targets’ web browsing habits. According to AT&T’s letter, the company allows law enforcement to do “real time web browsing surveillance.” Police are also requesting “tower dumps,” whereby cellphone companies give law enforcement the records of all cellphone users who have connected to a particular cellphone tower in a given time range.

“There is an easy fix to part of this problem,” said Calabrese. “President Obama and members of Congress should pass legislation that updates our outdated privacy laws by requiring law enforcement to get a probable cause warrant before service providers disclose the contents of our electronic communications to the government. Anything less is unnecessarily invasive and un-American.”

Currently there are many proposals in Congress to reform the Electronic Communications Privacy Act (ECPA). Passed in 1986 before widespread usage of email or the existence of Internet-connected mobile devices, ECPA allows law enforcement agencies to obtain electronic communications content older than 180 days—including text messages—without a warrant. The ACLU supports bipartisan ECPA reform legislation introduced by Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) in the Senate and Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) in the House, which would require police obtain a warrant before compelling service providers to divulge the contents of their customers’ electronic communications.

Wireless carriers’ responses to Sen. Markey are available at:
markey.senate.gov/Markey_Receives_Responses_from_Wireless_Carriers_on_Law_Enforcement_Requests.cfm

More information on ECPA reform is available at:
aclu.org/technology-and-liberty/modernizing-electronic-communications-privacy-act-ecpa

December 9, 2013 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , | Leave a comment

President Foreshadows New Internet Surveillance Proposal During National Security Speech

By Trevor Timm | EFF | May 30, 2013

President Obama gave an influential speech on counter terrorism and national security policy last week, and while much of the media coverage discussed the President’s remarks on Guantanamo prison and drone strikes, buried in the speech was a line just as critical to civil liberties online.

Half way through the speech, Obama said he wanted to “review […] the authorities of law enforcement, so we can intercept new types of communication, and build in privacy protections to prevent abuse.”

We certainly agree with the president, we need new privacy protections for our digital communications, and it’s encouraging to hear him suggest support for such proposals. After all, we know that the vast surveillance authorities have given to law enforcement over the last decade—like the Patriot Act, FISA Amendments Act, and National Security Letters—have been serially abused. Unfortunately, President Obama has actively defended these laws and policies in Congress and the courts, despite promising to reform them as a candidate.

There are still many measures his administration could support in the coming months to protect American’s communications. The White House could formally support reform of the Electronic Communications Privacy Act, which still says law enforcement agencies do not need warrants to obtain emails over 180 days old. The White House could come out in favor of warrant protection for cell-phone location information since it’s requested by authorities literally millions of times a year without a warrant. In the wake of the Associated Press scandal, Obama could also support a bill to require a court order for call records of all Americans.

But the first half of Obama’s statement—about “review […] the authorities of law enforcement, so we can intercept new types of communication”—is quite troubling. The line is likely an allusion to CALEA II, a dangerous proposal the New York Times has reported the administration “is on the verge of backing.” The measure would force companies like Google and Facebook to install backdoors in all of their products to facilitate law-enforcement access, putting both our privacy and security at risk.

Law enforcement certainly doesn’t need more legal authorities to conduct digital surveillance. As mentioned above, Congress has already been provided a huge amount of new surveillance authority that has been abused. As former White House Chief Counselor for Privacy Peter Swire said in 2011, “today [is] a golden age for surveillance.”

Indeed, it seems that law enforcement is working at cross-purposes with folks concerned about actual cybersecurity. Just a few months ago in his State of the Union address, Obama himself talked about hackers who “steal people’s identities and infiltrate private e-mail” and  “foreign countries and companies [that] swipe our corporate secrets.” Requiring real-time back doors into all of our communications would make those kinds of attacks easier. Recently, a group of more than a dozen of the nation’s best cybersecurity experts published a paper explaining why such a proposal would be a disaster for Internet security, giving hackers all over the world a central point of vulnerability to target.

And of course the FBI has still failed to put forth any evidence showing a bill to “intercept new kinds of communications” is needed at all. According to government statistics, from 2006-2010, the FBI has been ultimately thwarted by encryption zero times in their criminal investigations.

Citing privacy concerns, the White House commendably has threatened to veto CISPA, the cybersecurity bill. It should also jettison this ill-conceived CALEA II proposal in favor of privacy and security.

Email and call the White House today to tell them you oppose any plan to make Internet companies build government backdoors into your communications.

May 31, 2013 Posted by | Civil Liberties, Full Spectrum Dominance, Progressive Hypocrite | , , , , , | Leave a comment

IRS Says It Will Respect 4th Amendment With Regard to Email, But Questions Remain

By Nathan Freed Wessler | ACLU | April 16, 2013

With tax day behind us, taxpayers may soon have something else to celebrate from the IRS. In testimony before the Senate Finance Committee today, IRS Acting Commissioner Steven Miller was questioned aggressively about documents released by the ACLU last week that indicate that the IRS does not think it needs a warrant to read all emails and other electronic communications during criminal investigations. Under pressure from senators, Miller agreed to update IRS policy documents within 30 days to state that a warrant is required for access to all emails, regardless of their age.

Two senators from opposite sides of the aisle, Senator Grassley (R-IA) and Senator Wyden (D-OR), pressed Miller about whether the IRS has sought or obtained emails without a warrant since a federal appeals court ruled in 2010 that a warrant is required for all emails. (You can watch the hearing here. Sen. Grassley’s questions start at 1:25:00 and Sen. Wyden’s questions start at 1:31:10.) They asked why the IRS seems to be ignoring that 2010 decision—United States v. Warshak—in most of the country, and advising its criminal investigative agents that emails stored on a server for more than 180 days can be obtained without a warrant. Surprisingly, Miller answered that the IRS follows Warshak across the country. That’s not what internal IRS documents and its public policy manual show, but if true it is welcome news. Importantly, Miller committed to clarify written IRS policy within 30 days to state that a warrant is always required.

Miller’s testimony leaves several important questions unanswered, however:

  1. Although Miller stated that the IRS Criminal Investigation unit obtains warrants for all emails, he did not discuss other forms of electronic communication such as text messages, instant messages, and direct messages on social media. Under the Fourth Amendment, a warrant should be required for those private communications as well.
  1. Miller stated that, to his knowledge, the IRS has not obtained electronic communications without a warrant in the past. But an internal IRS Chief Counsel Advice memorandum from 2011 reveals that, months after Warshak, IRS investigative agents requested emails from an internet service provider without a warrant at least once. The IRS should explain when it started following Warshak nationally, and whether it has sought or obtained emails without a warrant in the past.

We applaud Senators Grassley and Wyden for quickly taking up this important issue and getting an answer from the IRS, less than a week after the ACLU released the IRS documents. But while the IRS’s apparent change of policy is a step in the right direction, there is more for Congress to do. The current IRS policy manual relies on the outdated Electronic Communications Privacy Act (ECPA), which only requires a warrant for some emails and other electronic communications. In order to uniformly protect the privacy of Americans’ private communications, lawmakers must update ECPA to require a warrant for the contents of all electronic communications, regardless of age or other factors. Strong reform legislation has been introduced by a bipartisan group of sponsors, and is starting to make its way through the legislative process. Follow this link to urge Congress to modernize our electronic privacy law and close the loophole that’s letting the government access email and other electronic communications without a warrant.

April 16, 2013 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , | Leave a comment

New Documents Suggest IRS Reads Emails Without a Warrant

By Nathan Freed Wessler | ACLU | April 10, 2013

Everyone knows the IRS is our nation’s tax collector, but it is also a law enforcement organization tasked with investigating criminal violations of the tax laws. New documents released to the ACLU under the Freedom of Information Act reveal that the IRS Criminal Tax Division has long taken the position that the IRS can read your emails without a warrant—a practice that one appeals court has said violates the Fourth Amendment (and we think most Americans would agree).

Last year, the ACLU sent a FOIA request to the IRS seeking records regarding whether it gets a warrant before reading people’s email, text messages and other private electronic communications. The IRS has now responded by sending us 247 pages of records describing the policies and practices of its criminal investigative arm when seeking the contents of emails and other electronic communications.

So does the IRS always get a warrant? Unfortunately, while the documents we have obtained do not answer this question point blank, they suggest otherwise. This question is too important for the IRS not to be completely forthright with the American public. The IRS should tell the public whether it always gets a warrant to access email and other private communications in the course of criminal investigations. And if the agency does not get a warrant, it should change its policy to always require one.

The IRS and Email: Reading Between the Lines

The federal law that governs law enforcement access to emails, the Electronic Communications Privacy Act (ECPA), is hopelessly outdated. It draws a distinction between email that is stored on an email provider’s server for 180 days or less, and email that is older or has been opened. The former requires a warrant; the latter does not. Luckily, the Fourth Amendment still protects against unreasonable searches by the government. Accordingly, in 2010 the Sixth Circuit Court of Appeals decided in United States v. Warshak that the government must obtain a probable cause warrant before compelling email providers to turn over messages.

However, the IRS hasn’t told the public whether it is following Warshak everywhere in the country, or only within the Sixth Circuit.

The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.

Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.

Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchange in mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was not.

The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.

The first indication that the IRS was considering the effect of Warshak came in an October 2011 IRS Chief Counsel Advice memorandum available on the IRS website but not provided in response to our FOIA request. An IRS employee sought guidance about whether it is proper to use an administrative summons, instead of a warrant, to obtain emails that are more than 180 days old. (The emails in question were located on an internet service provider’s (ISP) server somewhere in the territory covered by the Ninth Circuit Court of Appeals). The memo summarized the holding of Warshak and advised that “as a practical matter it would not be sensible” to seek older emails without a warrant. This is good advice, but the memo’s reasoning leaves much to be desired. The memo explained that Warshak applies only in the Sixth Circuit but that, because the ISP had informed the IRS that it did not intend to voluntarily comply with an administrative summons for emails, there was not “any reasonable possibility that the Service will be able to obtain the contents of this customer’s emails . . . without protracted litigation, if at all.” Any investigative leads contained in the emails would therefore be “stale” by the time the litigation could be concluded, making attempted warrantless access not worthwhile.

The memo misses another chance to declare that agents should obtain a warrant for emails because the Fourth Amendment requires it. Instead, the memo’s advice (which may not be used as precedent and is not binding in other IRS criminal investigations) is limited to situations in the Ninth Circuit where an ISP intends to challenge warrantless requests for emails. The IRS shouldn’t obey the Fourth Amendment only when it faces the inconvenience of protracted litigation; it should recognize that the Fourth Amendment requires warrants for the contents of emails at all times.

Finally, to the present: has the IRS’s position changed this tax season? Apparently not. The current version of the Internal Revenue Manual, available on the IRS website, continues to explain that no warrant is required for emails that are stored by an ISP for more than 180 days. Apparently the agency believes nothing of consequence has changed since ECPA was enacted in 1986, or the now-outdated Surveillance Handbook was published in 1994.

The IRS Owes the American Public an Explanation—and a Warrant Requirement

Let’s hope you never end up on the wrong end of an IRS criminal tax investigation. But if you do, you should be able to trust that the IRS will obey the Fourth Amendment when it seeks the contents of your private emails. Until now, that hasn’t been the case. The IRS should let the American public know whether it obtains warrants across the board when accessing people’s email. And even more important, the IRS should formally amend its policies to require its agents to obtain warrants when seeking the contents of emails, without regard to their age.

(We also sent FOIA requests to the FBI and other components of the Department of Justice—we will be receiving records from those offices in the coming weeks).

April 10, 2013 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , | Leave a comment

Google Releases Transparency Report Showing US Surveillance Requests Up 33% in the Last Year

Two Out of Every Three US Demands to Google Come Without A Warrant

By Trevor Timm | Electronic Frontier Foundation | January 23, 2013

This morning, Google released their semi-annual transparency report, and once again, it revealed a troubling trend: Internet surveillance around the world continues to rise, with the United States leading the way in demands for user data.

Google received over 21,000 requests for data on over 33,000 users in the last six months from governments around the world, a 70% increase since Google started releasing numbers in 2010. The United States accounted for almost 40% the total requests (8,438) and the number of users (14,791). The total numbers in the US for 2012 amounted to a 33% increase from 2011. And while Google only complied with two-thirds of the total requests globally, they complied with 88% of the requests in the United States.

Admirably, Google expanded their transparency report this time around, providing more detailed information about what kind of requests they get from the US government—specifically the type of requests they get under the main email privacy law in the US, the Electronic Communications Privacy Act (ECPA).

EFF has long criticized ECPA for not providing email with the same warrant protection as the Fourth Amendment gives to physical letters and phone calls. The Justice Department believes that it doesn’t need a warrant for emails over 180 days.  Google’s lawyers, to their credit, have criticized the law as well, saying just this week, “our view is that [ECPA] is out of compliance with the Fourth Amendment because the government can call for the production of your data without a search warrant.”

January 24, 2013 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , , | 1 Comment

The Disturbing Privacy Dangers in CISPA

By Trevor Timm | EFF | April 15, 2012

This week, EFF – along with a host of other civil liberties groups – are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. Here is everything you need to know about the bill and why we are protesting:

What is “CISPA”?

CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws.  Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated [link] and the actual bill language is in flux.

Under CISPA, can a private company read my emails?

Yes.  Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.

Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications.  Communications service providers may only engage in reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications.  And these laws expressly allow lawsuits against companies that go too far.  CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability.  This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.

What would allow a company to read my emails?

CISPA has such an expansive definition of “cybersecurity threat information” that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”

A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.

Under CISPA, can a company hand my communications over to the government without a warrant?

Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.

Under CISPA, what can I do if a company improperly hands over private information to the government?

Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:

(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.

As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”

What government agencies can look at my private information?

Under CISPA, companies are directed to hand “cyber threat information” to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.

Can the government use my private information for other purposes besides “cybersecurity” once they have it?

Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.

Can the government use my private information to go after alleged copyright infringers and whistleblower websites?

Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”

The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:

(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information

But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.

A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.

What can I do to stop the government from misusing my private information?

CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above.  But any such lawsuit will be difficult to bring.  For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation.  It’s not at all clear how an individual would know of such misuse if it were kept inside the government.

Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.

Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.

In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.

Why are Facebook and other companies supporting this legislation?

Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.

Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.

What can I do to stop this bill?

It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.

April 16, 2012 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , | 4 Comments