Re-examining access to personal digital data
AP Photo by Stephanie Keith
Occupy Wall Street protester Malcolm Harris, along with more than 700 other activists, marched along the edge of the Brooklyn Bridge during a protest in October 2011. A number of the marchers, including Harris, ventured into the street, where they were promptly arrested for obstructing traffic. Months later, the New York County District Attorney’s Office issued a subpoena to social media company Twitter for “any and all information” tied to Harris’ Twitter account. Twitter notified Harris of the subpoena, and both he and the company tried to quash it. However, a New York trial judge ruled this past September that Twitter must hand over the subpoenaed information or face criminal and civil contempt charges in the form of fines. The company complied.
The decision was a blow to Internet privacy and demonstrated that even protected tweets, private messages and user data can be subpoenaed without any court involvement and without any input by the user. It also brought to light a bigger issue: The 1986 Electronic Communications Privacy Act (ECPA) does not protect Internet users as it was intended to. And the effect has left Internet companies scrambling to figure out how they will respond to government requests for users’ information.
An outdated act
In 1986, the ECPA was enacted to prevent unauthorized government access to private electronic communications. The ECPA is a bill that updated or created three federal laws: the Wiretap Act, the Pen Register Act and the Stored Communications Act (SCA).
The Wiretap Act protects electronic communications while in transit and creates more stringent standards for search warrants for the information. The Pen Register Act governs the collection of non-content communication information, such as phone numbers dialed. The SCA is intended to protect stored electronic communications but allows the government to access such information with a subpoena, not a warrant like the Wiretap Act requires.
However, the rapid growth of the Internet quickly outpaced the act, and the distinctions between what information is protected and how has become confusing. The content of email messages “in transit” is protected under the stricter Wiretap Act and must be acquired through a warrant, while opened email messages that are stored on a server and unopened messages that are more than 180 days old fall under the weaker SCA and can be obtained through a subpoena with no judicial review.
Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, said that requested information can be divided into two main categories: content and non-content information.
Non-content information is defined as basic subscriber information and transactional data and can be obtained under the Pen Register Act. Subscriber information, which includes a user’s name and all of the information he or she provided to the service provider, can be accessed with a subpoena. Transactional data, which shows with whom, when, where and how often an individual communicates, requires a court order to be accessed. Dempsey said that this non-content information — which is not protected under the Fourth Amendment’s guarantee against unreasonable searches and seizures because it is not technically content — can nonetheless reveal a lot about a person.
“If someone gets a full list of all the phone numbers you’ve called, all of the websites you’ve visited and all the people who have sent you email and to whom you’ve sent email, they have a full picture of your life,” he said.
Most content information, which includes the body or substance of email messages and other electronic communications, falls under the weaker SCA and can be obtained by the government through a subpoena. Opened email messages that are stored on a server and unopened email messages that are more than 180 days old can be accessed with a subpoena, while unopened email messages that are less than 180 days old require a warrant for access.
In most cases, subpoenas for electronic communications are issued to the service providers, not the subscribers or creators of the content, since most communications today are stored with a third party. This has created a growing problem as more and more people store information on email servers, social media websites and “the cloud,” said Lee Tien, an attorney with the Electronic Frontier Foundation.
Thus, information that would normally be protected under the Fourth Amendment, such as a calendar or document an individual keeps on his or her personal computer, is not offered the same constitutional protection once it is stored through an Internet service provider.
Confusion in the courts
More and more, Dempsey said, the government is taking the position that it should be able to access content and non-content information with just a subpoena, and in many cases it is able to do so because the courts do not know how to deal with the complicated application of the ECPA to the Fourth Amendment. In United States v. Warshak, the U.S. Court of Appeals in Cincinnati (6th Cir.) held that the content of email messages is protected by the Fourth Amendment, and the government must obtain a warrant based on probable cause to access the messages. However, in other federal courts, the contents of email messages may be accessed with only a subpoena, Dempsey said.
“That’s one of the fundamental questions that nobody has an answer to: What application does the Constitution have to digital technology, to the Internet and email?” Dempsey said. “Nationally, the statute on the books is the ECPA, which was written before the World Wide Web, Google, Facebook, texting, etc. It sets up these complicated rules, and the courts have barely begun to analyze what all this means constitutionally.”
In the past five years, more than 30 federal decisions have been published on government access to non-content information, and have reached notably different conclusions, according to the website of the Digital Due Process Coalition, a group made up of organizations and Internet companies advocating for reform of the ECPA. The act can no longer be applied in a clear and consistent way, and the personal information generated by today’s digital communication services might no longer be adequately protected, according to the website.
“There are so many cases coming through the courts, and the decisions are going in all different directions,” Dempsey said. “It could be years before any of these issues reach the Supreme Court.”
How a company responds to a government-issued subpoena for a user’s subscriber information or content depends on what is requested, what form the information is in and the company itself, EFF’s Tien said.
“It depends on what the legal requirements are, which statutes apply and whether they override the Constitution,” he said. “Some [requests] are pretty clear, but there are others that companies will object to because it might address a bigger issue that an old statute may not cover.”
Tien said how companies proceed also depends on how aggressive they want to be legally, how protective they are of the user’s privacy and whether it is part of their agenda to make the subpoena a federal issue by raising a First Amendment defense like Twitter did in the case of the Occupy Wall Street protester.
But Tien acknowledged that at the end of the day, if a court says the company is wrong, it either has to agree and hand over the information or appeal the decision.
Caught in the middle
The courts’ uncertainty about the application of the ECPA leaves corporations caught in the middle, Dempsey said.
“The companies want to be good corporate citizens, and they recognize that law enforcement has a legitimate need for some information stored electronically,” he said. Companies also know that they are sitting on “a lot of sensitive data” and will fight an uphill battle if they try to resist a subpoena, he added.
Dempsey said that it is almost impossible for ISPs, especially smaller companies with less money, to successfully appeal subpoenas. Since such subpoenas are issued without prior approval of the court, the burden is on the recipient of the subpoena to challenge it.
“Any company has the right to challenge and resist a subpoena, but the government will probably move to file a motion to compel in court, and under penalty of law you have to comply once the court rules,” Dempsey said. “The company can appeal, but costs start going up, and the likelihood of getting the ruling overturned on appeal goes down.”
Technically, the ECPA requires the government to provide users with “prior notice” that their information is being subpoenaed, but law enforcement officials often use an exception that allows officials to wait 90 days before communicating with the user. When the government deals directly with ISPs to access communications data, the users and producers of the information are often left out of the equation, Dempsey said. Most of the time, customers do not know that their information was subpoenaed until much later, he added.
The case involving Harris and Twitter is unique because both the company and the individual have been actively involved in fighting the government’s subpoena for Harris’ subscriber information and tweets. Despite the fact that Twitter complied with a court order to hand over the information, the company is still challenging the subpoena in a New York appellate court. Harris likewise is challenging the trial court’s decision, arguing that the subpoena violates his First and Fourth Amendment rights.
Emily Bass, Harris’ lawyer, said that the courts are overlooking the most important aspect of these subpoenas: the content creators themselves. She said the users have a right to be involved in the request for communication information.
“Look, the First and Fourth Amendments haven’t disappeared,” Bass said. “They have to be accommodated to the digital world, and one of the most logical ways to do that is to recognize that the people who use the Internet still have certain Fourth Amendment rights.”
Bass argued that in order to access private communication information, the government should have to get a court order in a situation where the user is made aware of the request and is able to stand up and fight the disclosure of his or her information.
“Everyone else is getting to say why that information should be disclosed, and at each level the user, who should be recognized for having a real interest in the proceedings, has been denied or ignored,” Bass said. “The appropriate person to stand before the court and address these issues is the person whose communications are at stake and the person who really has privacy interests in those communications.”
In the George Zimmerman prosecution, a Florida judge recently allowed the defendant’s lawyers to subpoena Facebook and Twitter for shooting victim Trayvon Martin’s deleted accounts but said she would entertain motions to quash by the social media companies if they opted not to comply with the subpoenas.
Prosecutors argued that Zimmerman, who fatally shot Martin in February, had never seen the boy’s social media profiles so they would be irrelevant to the case, but defense attorneys said the accounts could show whether Martin had aggressive tendencies.
A defense attorney acknowledged the difficulty of actually obtaining the records, and as of mid-October, the companies had not responded to the request.
Working toward change
Dempsey said the answer to the problems surrounding the ECPA will come from court decisions and company practices, as well as from consumers who draw attention to the issue.
Legislation to change the ECPA, including the ECPA Amendments Act of 2011, has been slowly making its way through Congress, and organizations like the Digital Due Process Coalition are urging Congress to update the law, Dempsey said. Formed in part by the Center for Democracy and Technology, the coalition’s members include Apple, Microsoft, Google, Facebook and Twitter.
“The companies are increasingly worried that the government views them as their first stop in any criminal investigation,” Dempsey said. Many of the companies involved often do not work together because they are competitors, but they were all able to agree on a set of basic principles to reform the law, he added.
And courts are also starting to acknowledge the problem. This past January, the U.S. Supreme Court held that law enforcement officials’ use of GPS tracking devices attached to suspects’ cars to monitor their movements on public streets constitutes a search under the Fourth Amendment. In her concurring opinion in United States v. Jones, Justice Sonia Sotomayor questioned whether the Court should revise its present notions of the reasonable expectation of privacy in the digital age and suggested that users should be protected if they give information to third parties.
Tien said that although legislation and litigation like that undertaken by Harris and Twitter are important factors in successfully amending the ECPA, how companies respond to subpoenas also is crucial.
“I certainly agree that [Internet companies] should have a more unified industry approach,” Tien said. “We can hope and encourage companies to work together to have industry best practices, but it’s always been difficult to get them to work together.”
But Dempsey said that progress seems to be occurring.
“I think that bit by bit, the companies are informally talking with each other about how to respond to government requests,” he said.
In the meantime, Harris and Twitter are waiting for their legal challenges to the subpoena to play out in court.
“If the lower court’s decision was vacated . . . it would affect not just Twitter users, but essentially everybody on the Internet,” Bass said. “We hope the court in this region will declare the law correctly and say that the people who use communications, whether it’s email, tweets or text messages, have First Amendment and privacy interests in that information and have a right to be involved in the request for that information.”