Ron Wyden: It's Time To Kill The Third Party Doctrine And Go Back To Respecting Privacy

from the make-it-so dept

Mon, Aug 18th 2014 7:47am — Mike Masnick

For years, we've written about the third party doctrine and its troubling implications for the 4th Amendment and your privacy -- especially in the digital era. If you're unfamiliar with it, the third party doctrine is the concept used by law enforcement (and, tragically, the courts) to say that you have no expectation of privacy or 4th Amendment rights in information you've given to a third party. The origins of this argument are not completely crazy, because there is a legitimate claim to the idea that if I entrust you with some private information, and you decide to disclose it, that my 4th Amendment rights haven't been violated. But that assumes a very different world. In today's digital world -- especially with cloud computing -- we "entrust" all sorts of information to third parties even though we still think of and treat that information like it's our own personal effects. These aren't cases in which I'm handing over a collection of journals to my neighbor to hold onto. Online services are treated as our own content -- which we can access, update and modify at any time from any device.

While the Supreme Court's recent decision in the Riley/Wurie cases suggests that it is becoming increasingly uncomfortable with law enforcement twisting old concepts onto new technologies to eviscerate privacy, the third party doctrine technically still stands -- and there has been little real discussion of it in Congress.

So it's good to see that Senator Ron Wyden is actually speaking out about why the third party doctrine needs to go. The speech is a good one, talking about oppressive governments and surveillance, and the rise of technology -- and how our laws have not kept pace when it comes to protecting our privacy against government intrusion. Then he digs in on the third party doctrine, noting that it was established by "judges who did not fully understand 20th Century technology, much less anticipate the technology we have today" and that it makes little sense considering the way we use technology today:

Some will still argue that by sharing data freely with Facebook, Google, Mint, Uber, Twitter, Fitbit, or Instagram, Americans are choosing to make that data public. But that is simply not the case. I might not have any expectation of privacy when I post a handsome new profile picture on Facebook, or when I send out a tweet to tell people I’ll be at the Tech Northwest conference. But when I send an email to my wife, or store a document in the cloud so I can review it later, my service provider and I have an agreement that my information will stay private. Neither of us have invited the government to have a peek. Basically, I think sharing this information with Google is like putting property in a safety deposit box, but the government thinks I’m posting it on a billboard out on I-5.

Citizens have agreed to a contract with Google or Mint that keeps their email or financial data private. In many cases these companies don’t even know what information they’re holding for you. Making information available to a service provider for a limited business purpose - so that they can give you a new app, or provide targeted ads, or do any other kind of business with you - is simply not the same as broadcasting that information to the public. In the view of the law this data should be as secure to your person as if it were sitting in a locked filing cabinet in your home office.

So how about fixing it? Well, he says, it needs to start by reforming the laws that cover the intelligence community, preventing them from bulk collection of the data you've handed to third parties.

I believe that any serious effort to reform this law needs to end the bulk collection of Americans’ personal information, starting with their phone records. I have been challenging this program for years on the grounds that isn’t just harmless old metadata. Furthermore, I believe that Congress needs to reform the Foreign Intelligence Surveillance Court, to make it more transparent and to include an advocate for the American people. Additionally, there needs to be much greater transparency from intelligence agencies about the scale and scope of domestic surveillance activities, and private companies should be given the ability to disclose much more information about requests they receive from the government. Most of all, Congress must close the loophole that intelligence agencies are currently using to read a significant number of Americans’ communications without a warrant.

But that's just the start. He calls out Executive Order 12333, which we've been discussing lately. That's the Ronald Reagan-signed executive order that lets the NSA collect whatever the hell it wants outside of the US. As was recently revealed, this program, which has no Congressional or Judicial oversight, is really the core program that the NSA uses. All the domestic spying under Section 215 and 702? That's just to "fill in the gaps." Wyden thinks its time that EO 12333 got reviewed and reformed:

The next step will be to seriously examine collection that is done overseas. When the Foreign Intelligence Surveillance Act was written in the late 1970s, it was written to only apply to collection done inside the United States. But that was back in an era when each country essentially had its own separate communications infrastructure.

Now those separate systems have been replaced by an integrated global communications network, in which calls and emails within one country might be routed through multiple different countries. When you combine that shift with new technology that makes it much easier to obtain large amounts of data, it no longer makes sense to assume that collection done overseas will not sweep up the communications of large numbers of law-abiding Americans.

This means that the rules that govern collection overseas will need to be substantially revised. These are governed by something called Executive Order twelve-triple-three, which is more than 30 years old and predates this sea-change in global communications. I was encouraged a few weeks ago when the Senate Intelligence Committee recognized this fact, and voted to advance a bill that would begin to establish some firmer rules in this area.

Finally, he talks about the need for ECPA reform -- another thing we've been discussing for years. ECPA is the 1986 Electronic Communications Privacy Act which is so woefully out-of-date, it's not even funny. It's the one that assumes if any communication is sitting on a server for more than 180 days, then it's "abandoned." Go look at how many emails in your Gmail account are over 180 days old... Even though more than half of the House is co-sponsoring an ECPA reform bill, law enforcement folks are protesting it, because they like the easy access. The DOJ loves to go on fishing expeditions with ECPA, as does the SEC and the IRS. Wyden says it's time for real reform.

There's much more that can be done, some of which he refers to in his speech, but it would be nice if Congress finally realized just how truly dangerous the third party doctrine is to our privacy.

Wyden Third Party Doctrine (PDF)Wyden Third Party Doctrine (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ecpa, ecpa reform, metadata, nsa, privacy, ron wyden, surveillance, third party doctrine

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

BentFranklin (profile), 18 Aug 2014 @ 7:44am

https://www.documentcloud.org/documents/1275667/wyden-third-party-doctrine.pdf
[ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 7:50am

Ron Wyden is one of the few non-flip flopping politicians who still holds publicly popular positions even after elected and not just when running for campaign. So many other politicians hold positions they know are popular among their constituents and then, all of a sudden, they switch positions once elected. Then the shills around here say 'but this is what the people want because this is who they voted for'. If that's the case then they wouldn't all need to switch positions once elected.
[ link to this | view in chronology ]
- AzureSky (profile), 18 Aug 2014 @ 12:21pm
  
  Re:
  Wyden is one of the few in office today you could consider to be a true statesman rather then being a pure politician, rather then serving corporate interests at the expense of thi voters he tries to do whats best for his voters....i respect that.
  [ link to this | view in chronology ]
David, 18 Aug 2014 @ 8:08am

Third party doctrine car analogy
Once I've given my car key to anybody, I have no expectation who may be using my car to what purpose in future.

Sort of defeats valet parking. Also makes it hard to get your car repaired without it ending up in a different country.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 9:21am
  
  Re: Third party doctrine car analogy
  Your analogy is so far off the mark.
  
  You go to bank and rent a safe deposit box ... cloud computing and storage is the same thing.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 8:08am

i think Congress is fully aware of how dangerous 12333 is, along with the other bills that are, basically, attached. the main reason there hasn't been 'any real reform' is because Congress members dont want to be inundated with lobbying from law enforcement agencies who want to keep things as they are, nice and easy. ie just go and get whatever they want, legal or not, and lie like fuck about what they got, how they got it, what it's used for and how long it will be kept.
on top of that, whether they realise it or not, members are being spied on just as much, if not more, than other people, simply because of their position. until something is revealed about a task or a personal thing to do with one or more members, they seem to be oblivious to what's happening. get a senator in the cross hairs, for example, then see things take a different course!!
as for Wyden, he's just about the only person who does the job for which he was elected. every other member is there, predominantly, to get what he/she can, personally, out of the job, while cowering to the government and the security forces and lying continuously to the public!!
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 9:21am
  
  Re:
  Congress members probably don't care that much about lobbying since that has turned out to be a two-way street as in "I scratch your back and you scratch my back" - lobbying and campaign funding. Even Feinstein has argued that foreign surveillance should be reviewed by congress.
  
  They are far more likely to be spied on than others. The best solution given that many countries are interested in their secrets, would be to prioritize further anti-surveillance measures and in particular a priority on creating a separate agency specialized in anti-surveillance.
  [ link to this | view in chronology ]
pixelpusher220 (profile), 18 Aug 2014 @ 8:09am

'choose to disclose' - key difference
if a 3rd party, such as you're friend or anyone/any company who doesn't have an agreement to 'not disclose', does indeed disclose, then yes you have no 4th amendment recourse.

The BIG difference here is the courts ordering the release of the 3rd party held information. That's not 'choosing' to disclose and as such you should be able to fully employ your 4th amendment rights.
[ link to this | view in chronology ]
Michael, 18 Aug 2014 @ 8:10am

The big question is: Why hasn't the NSA arranged for an 'accident' for this guy yet?
[ link to this | view in chronology ]
- BentFranklin (profile), 18 Aug 2014 @ 8:35am
  
  Re:
  They got Paul Wellstone and Mel Carnahan with private plane crashes. Let's hope Ron Wyden stays out of private planes.
  [ link to this | view in chronology ]
- John Fenderson (profile), 18 Aug 2014 @ 8:36am
  
  Re:
  Because the NSA doesn't do operational things like that. They'd ask the CIA or FBI to do it.
  [ link to this | view in chronology ]
  - Michael, 18 Aug 2014 @ 10:51am
    
    Re: Re:
    You see? These agencies DO need to have more freedom to share information between themselves. If they could, this Wyden problem could already have been solved.
    [ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 11:00am
  
  Re:
  You know how representatives often start their floor statements with "I reserve the right to revise and extend my remarks."? If I was Wyden, I would have pre-authorized my aides to add a whole lot of interesting intelligence info to the congressional record in the case of any 'accident' to my person or position.
  [ link to this | view in chronology ]
Argonel (profile), 18 Aug 2014 @ 8:11am

Can we revise the third party doctrine to "Third parties may not be compelled to provide documents or information about you without a proper warrant or subpoena just as you cannot be compelled to provide information without a warrant or subpoena. This shall not be construed as preventing a third party from volunteering information if they choose to do so."

It shouldn't be hard for a law enforcement agency to convince a judge to allow them to have a cell phone provider disclose if a suspects cell phone was in the vicinity of a bank at the time of a bank robbery. Even if it is more work than just calling up Verizon and saying give me a list of everyone that was within half a mile of this bank within half an hour of the robbery.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 10:59am
  
  Re:
  ok. but the telco' were getting paid for the information (well supposedly for the time to retrieve it). So of course they want to keep the money so they will just voluntar to give the information.
  [ link to this | view in chronology ]
tab, 18 Aug 2014 @ 8:17am

Sorry, but this is a little bit like copyright, and also similarly unenforceable. It doesn't matter what countrys' laws say, the laws of physics rule. If you don't want copies of information spread further, don't share a copy in the first place. Simples.

You may desire to shut the barn door after the horse has bolted, whether for noble-sounding (privacy) or terrible (copyright monopoly) reasons, but the world doesn't work that way.
[ link to this | view in chronology ]
- jdc (profile), 18 Aug 2014 @ 8:37am
  
  Re: tab
  So, are you claiming that everyone needs to run their own email server? After all, the third party doctrine means that google, yahoo, hotmail, etc. need to disclose your email to the authorities without requiring a warrent. And email is pretty much an essential element of modern society.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 18 Aug 2014 @ 8:40am
    
    Re: Re: tab
    "So, are you claiming that everyone needs to run their own email server"
    
    This is what I've done for years, and I recommend it. It's not hard. I started simply because I didn't want to be at the mercy of a third party provider (they might go out of business, have a technical problem that causes me to lose my email or lose access to it, etc.) Now, I continue to do it to minimize being spied on both by private companies and the government.
    [ link to this | view in chronology ]
    - Michael, 18 Aug 2014 @ 8:59am
      
      Re: Re: Re: tab
      According to the Aereo ruling, since your privately hosted email solution looks like Gmail or Hotmail, you have to give up the information anyway.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 18 Aug 2014 @ 9:04am
        
        Re: Re: Re: Re: tab
        But I'd be aware that my data has been requested, and I have a chance to fight back against it. Even if I lose, I'm still aware that my data has been given away. Those are two huge benefits that are completely absent when a third party holds the data.
        [ link to this | view in chronology ]
        
        That One Guy (profile), 18 Aug 2014 @ 4:52pm
        
        Re: Re: Re: Re: Re: tab
        'Terribly sorry, but I seem to have used the same backup system employed by the IRS, and all the records you're asking for seem to have been accidentally lost. Coincidentally, the accident occurred the same day that you asked, what are the odds?'
        [ link to this | view in chronology ]
- John Fenderson (profile), 18 Aug 2014 @ 8:38am
  
  Re:
  "It doesn't matter what countrys' laws say"
  
  When you're talking about what can be done legally, then the country's laws are the only thing that matters.
  [ link to this | view in chronology ]
Name, 18 Aug 2014 @ 8:19am

Gunz
All for his views in this area, but he voted for the assault weapons ban, where he lost me. I'm already undergunned as it is let alone facing militant cops with MRAPs if it ever came down to it.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 10:22pm
  
  Re: Gunz
  I'd rather prevent the government from being able to legally (or technically) access the information that gives 'em their excuse to deploy the thugs in MRAPs in the first place.
  [ link to this | view in chronology ]
AnonCow, 18 Aug 2014 @ 9:58am

Forget about 3rd party doctrine, I've never understood why it is acceptable to treat non-citizens outside of the United States by a different standard than we treat American citizens in the United States.

On what basis do we justify that they don't qualify for the same fundamental protections as Americans? The defining sentence of our nation is "all men are created equal", not "all citizens of the United States are created equal" and that, therefore, ALL men have inalienable rights.
[ link to this | view in chronology ]
Brian (profile), 18 Aug 2014 @ 10:58am

Maybe we should find out if any members of congress have emails older than 180 days and publish the "abandoned" emails in full.
[ link to this | view in chronology ]
- MonkeyFracasJr (profile), 18 Aug 2014 @ 12:36pm
  
  Re: ^^^ YES ^^^
  Yes. Do that.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 12:31pm

Yeah, right.
"...there is a legitimate claim to the idea that if I entrust you with some private information, and you decide to disclose it, that my 4th Amendment rights haven't been violated."

Like, if I didn't want my doctor to disclose my private information to some government agent I wouldn't give it to him/her in the first place, right? Yeah, I see how that works. Uh huh. Makes perfect sense.
[ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 1:23pm

This is great, but...
While I think this is a great step in the right direction, I am still missing the part where anyone at all are saying: "we shouldn't be doing this to our allies either. Friends don't do that to friends". I think it is an outrage when allies through many decades are spied upon to gain political advantage in negotiations or in meetings and then when discovered, they just shrug it off, just because they are the biggest kid in the school yard.
I know it has to begin somewhere but this is almost never mentioned.
[ link to this | view in chronology ]
twinsdad9901 (profile), 18 Aug 2014 @ 4:10pm

Executive Orders
How long do these things stay in effect? If Reagan issued 12333, that is a pretty long time for it to be still used. Is there no sunset law for executive orders?
[ link to this | view in chronology ]
- John Fenderson (profile), 19 Aug 2014 @ 8:44am
  
  Re: Executive Orders
  There is no sunset to them unless they include a sunset as part of the order itself. EO last until another EO cancels them.
  [ link to this | view in chronology ]
Whatever (profile), 18 Aug 2014 @ 8:59pm

wyden does it again
Here we go again, Wyden rattling on about something but appearing to do nothing. It's all air and grandstanding, and not much real action.

Mr Wyden, my suggestion for you: If you want to change the laws, then propose changes. Put them in front of your elected peers, and see what happens. If you want to change things, stop talking, and start doing.

Huffing and puffing doesn't blow the house down.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 10:37pm
  
  Re: wyden does it again
  Mr Wyden, my suggestion for you: If you want to change the laws, then propose changes ... stop talking, and start doing.
  Yeah, he never does anything.
  
  https://www.govtrack.us/congress/bills/browse?sponsor=300100
  [ link to this | view in chronology ]
- Easily Amused (profile), 18 Aug 2014 @ 10:50pm
  
  Re: wyden does it again
  Doesn't it ever get boring just being contrary to every post here? Do you even actually remember your own opinions about life, or have they all faded away in the deluge of knee-jerk trolling you do?
  [ link to this | view in chronology ]
- John Fenderson (profile), 19 Aug 2014 @ 8:45am
  
  Re: wyden does it again
  "Mr Wyden, my suggestion for you: If you want to change the laws, then propose changes. Put them in front of your elected peers, and see what happens. If you want to change things, stop talking, and start doing."
  
  Spoken like somebody who has exactly no idea how Washington actually works.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Aug 2014 @ 6:27pm

"but it would be nice if Congress finally realized just how truly dangerous the third party doctrine is to our privacy."

Oh they realize it all right, and will do whatever they can to keep the doctrine intact and working exactly as planned, in order to keep those lobbied cash envelopes coming in regularly.

What you need to realize is how dangerous your privacy is to the forces of fascism, and maybe then you'll start to understand that none of this is a coincidence.
[ link to this | view in chronology ]
William Merz, 19 Sep 2014 @ 11:03am

Response to the 3rd Party Doctrine/ECPA
The third party doctrine needs to define "the third party". If the third party is a social media website such as Face Book, there should be no expectation of privacy. The old language of the Third Party Doctrine, and the Electronic Communications Privacy act allow the government to interpret these laws, and twist them in their favor. Essential these laws state, that if, I send my email through a service provider such as Yahoo! or Gmail, or even store documents in a cloud, I am delivering them to a third party, and therefore no longer protected under the fourth amendment, allowing intelligence agencies warrantless access. Communications sitting on a server after 180 days are considered "abandoned", and in turn, personal privacy is disregarded by intelligence agencies.

While this article advocates change in favor of personal privacy, it only addresses legal issues with regards to personal privacy. It does not address employment issues. For instance, federal law allows employers to ask employees for their Facebook username and password. (http://www.usatoday.com/story/money/business/2014/01/10/facebook-passwords-employers/4327739/). Before social websites, employers would receive and application, review it, schedule an interview, and potentially hire a new employee. If an employer is not allowed to ask any personal questions, such as, "Do you have any children?", then how would federal law protect them from asking for a username and password? Many Face Book users only allow friends and followers to view their profiles, pictures, and posts. This also poses a security risk. If a potential employer asks for a potential new hire's username and password, he/she is allowing a complete and total stranger to have personal access to the account, and that poses a risk for identity theft.

The solution to this issue: Create a pseudonym for any and all social media sites, and then lie when your potential new employer asks for your face book username and password.
[ link to this | view in chronology ]