Government Seeks Do-Over On Win For Microsoft And Its Overseas Data

from the please-please-please-let-me-get-what-I-want dept

The DOJ wants the Second Circuit Court of Appeals to revisit the decision it handed down in July -- the one that's preventing it from forcing Microsoft to hand over data stored on its servers in Ireland. The DOJ hoped the court would read the Stored Communications Act as applying to the location of the company served with the data request, rather than the actual location of the data. The Appeals Court disagreed with the lower court's finding -- one that dragged in the Patriot Act for some reason -- pointing out that the purpose of the SCA was to protect the privacy of communications, not to facilitate the government in obtaining them.

The government has filed a petition [PDF] for a rehearing of the case, obviously in hopes of a reversal. Jennifer Daskal of Just Security has posted several reasons why the DOJ's desired interpretation of the Stored Communications Act is dangerous, along with other problems arising from this decision.

To begin with, the decision raises new logistical issues, both for the government and the private companies served with these warrants.

According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”

The court's interpretation of the SCA theoretically means Google will never again have to turn over requested emails to law enforcement.

Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.

That being said, Daskal points out that the government also feels that just because it has a warrant, it should be able to demand the production of communications wherever, whenever. This flat assertion that warrants trump privacy in every case is every bit as one-sided as the DOJ's theory that Google now has the option to rebuff warrants at its sole discretion.

The DOJ's fears aren't entirely unfeasible. Companies that sell their communications tools with privacy-heavy sales pitches could simply offshore their data storage to put it out of reach of SCA-citing warrants, turning the 2nd Circuit's ruling into a middle finger to US law enforcement.

If this is going to be fixed in any sort of way that doesn't turn this into a one-sided victory for service providers or the government, it's probably going to need to be through legislation. The court's revisitation of the issue (courts have generally been favorable to rehearing requests from the US government) may come to that very conclusion.

Indeed, the DOJ has already begun pushing for a legislative solution, albeit one that heavily favors the government. The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.

As Daskal notes, Congress is better off addressing this issue sooner rather than later. Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.

Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.

Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.

Unfortunately, Congress doesn't really have a great track record when it comes to legislative fixes for tech issues. We have a more technologically-adept set of legislators than we've ever had previously, but there are still many who won't see the forest of implications for the law enforcement trees. But the situation may become much, much worse if left unattended.

Filed Under: doj, electronic surveillance, ireland, jurisdiction, stored communications, warrant
Companies: microsoft

Why Regulations Aimed At Technology Almost Always Suck: Or Why Reading Someone's Gmail Isn't Reading 'Stored Communications'

from the don't-let-them-near-technology dept

There have been a couple of stories covering the fact that the South Carolina Supreme Court has ruled that reading someone's Gmail does not violate the Stored Communications Act, a part of ECPA -- a law we've written about a number of times for being completely out-of-date. Orin Kerr has a good breakdown of the details, if you want to read them. What struck me most, however, is how this case is a near perfect example of the kind of mess we get into when politicians try to regulate technology. Technology changes much, much, much faster than the law, and because of that, you get very silly results. The key issue here is that the Stored Communications Act is now found in 18 U.S.C. 2701 -- and it defines the offense as occurring when someone "obtains, alters or prevents" access to communication "while it is in electronic storage." Now, for the purpose of the law, "electronic storage" is defined over in 18 U.S.C. 2510, with the relevant definition noting:

“electronic storage” means--
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

Got that? It must have seemed reasonable at the time it was written, but it makes little sense these days, and is apparently so misaligned with reality today that this one single case interprets that definition in three different ways, and exactly none of those ways agree with a 9th Circuit ruling in Theofel v. Farey-Jones. There's disagreement over the meaning of "backup" in part (B) in particular. Is that backup for the user? Or for the service provider? And then, how do you figure out what is or what is not backup? If a person reads his or her Gmail account, then the message was copied to his or her local machine inside the browser. Thus, it seems reasonable to argue that the copy that remains on the server is a backup copy. But two of the judges in this case argued that because the recipient had not "downloaded" any other copies of the message to store, then the ones on the server were not "backups." This makes little sense because copies were downloaded, but many non-technical people don't understand how browsers really work.

Other judges focus on whether or not your webmail account is really "backup" for the ISP. Either way, the end conclusions: webmail is not considered "electronic storage" under the law for the purpose of the Stored Communications Act. While accessing someone's email can (and likely does) still violate other laws, the very law that most people would probably think most directly applies, almost certainly does not.

The reality is that, when it was passed, back in 1986, it probably seemed to make sense that "stored communications" would only be done for backup. While there were networked client/server type setups at the time, it's doubtful that the folks who wrote the law could have fathomed something like webmail or other online forms of communication. If we're talking about "stored communications" today, it seems ridiculous to have it not cover web-based mail systems or social networks. But the law doesn't seem to support that view -- because the law is incredibly out-of-date. But, of course, the problem with fixing the law is that lawmakers will, again, have trouble figuring out where we'll be just a few years out, and the law may either fail to cover what it thinks it covers or (perhaps worse) cover stuff that should be perfectly legal.

And this, of course, is what we fear when it comes to politicians meddling in technology. Even when they have the best of intentions, technology changes rapidly -- and old and obsolete definitions get left in the law and can create problems or situations that make very little sense. If Congress were able to clean those up quickly, perhaps there wouldn't be a problem, but Congress isn't known for fixing real problems quickly. We've been hearing talk of fixing ECPA for years, and it seems unlikely to happen for a while.

Filed Under: email, regulations, stored communications, technology

Appeals Court Says Emails Are Protected By The 4th Amendment

from the good-news dept

There have been a bunch of court cases recently that have explored the question of whether or not emails stored by your ISP were protected by the 4th Amendment. Some have made the argument that "stored communication" is not protected by the 4th Amendment due to the "third party doctrine," whereby you effectively give up your 4th Amendment rights because you've provided your data to someone else. Different courts have sorta bounced this topic around, ruling in a variety of different ways, while often punting on answering the question directly.

However, it appears that the 6th Circuit appeals court has said enough is enough and has ruled that your email is, in fact, protected by the 4th Amendment, with a rather clear statement on the matter:

Email is the technological scion of tangible mail, and it plays an indispensable part in the Information Age. Over the last decade, email has become "so pervasive that some persons may consider [it] to be [an] essential means or necessary instrument[] for self-expression, even self-identification." Quon, 130 S. Ct. at 2630. It follows that email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve. See U.S. Dist. Court, 407 U.S. at 313; United States v. Waller, 581 F.2d 585, 587 (6th Cir. 1978) (noting the Fourth Amendment's role in protecting "private communications"). As some forms of communication begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise. See Warshak I, 490 F.3d at 473 ("It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.").

If we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment. An ISP is the intermediary that makes email communication possible. Emails must pass through an ISP's servers to reach their intended recipient. Thus, the ISP is the functional equivalent of a post office or a telephone company. As we have discussed above, the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call--unless they get a warrant, that is. See Jacobsen, 466 U.S. at 114; Katz, 389 U.S. at 353. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.

Of course, it's worth pointing out that while this court says the government is forbidden from wiretapping without a warrant, our government has decided it can ignore that rule, so don't be surprised if it ignores this one too...

Filed Under: 4th amendment, email, stored communications, third party doctrine

Supreme Court Threads The Needle On 4th Amendment For Stored Communication

from the privacy-please dept

The Supreme Court today ruled in the Quon case, on the question of whether or not it was legal for a police department to look at the text messages sent by an officer (using a department issued device) as a part of an audit. The big question was whether or not communications that are stored elsewhere are subject to 4th amendment protection. This is a tricky question, and it looks like the Supreme Court effectively decided to punt on it by purposely avoiding the 4th Amendment issue, and ruled on a separate issue (saying that it was legal for an employer to look at an employee's messages). But on the specific 4th Amendment issue, the court was clear that it was better to look at the specifics of each situation, rather than creating a hard and fast rule:

The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer. The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear. See, e.g., Olmstead v. United States, 277 U. S. 438 (1928), overruled by Katz v. United States, 389 U. S. 347, 353 (1967). In Katz, the Court relied on its own knowledge and experience to conclude that there is a reasonable expectation of privacy in a telephone booth. See id., at 360-361 (Harlan, J., concurring). It is not so clear that courts at present are on so sure a ground. Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.

However, the court did hint, that, despite the claims of some lawyers, 4th Amendment privacy rights can and should be extended to cover communications stored via third parties, since it would seem that there is a reasonable expectation of privacy.

Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. That might strengthen the case for an expectation of privacy.

That said, it also argues the other side would be that since those devices are so cheap, anyone who wants to do personal things can just use their own, rather than use an employer's device. But, either way, for now the Supreme Court has officially punted on the 4th Amendment question.

Filed Under: 4th amendment, privacy, quon, stored communications

Will The DOJ's Interpretation Of Email Privacy Make It Difficult To Prosecute Palin Email Hacker?

from the we-said-what-now? dept

While plenty of folks are talking about the cracking of Sarah Palin's personal email account, the EFF is noting that the Justice Department's own interpretation of email privacy laws may actually make it difficult to prosecute the hacker under the most obvious statute, the Stored Communications Act. You see, since the DOJ would prefer that your email not be considered private, it has interpreted emails that you've opened, but not deleted, as not being subject to the SCA. That's thanks to a somewhat contorted reading of the law that suggests that an opened email is no longer considered either in temporary or intermediate storage -- nor is it considered saved for backup purposes. Those happen to be the two requirements under the law. Thus, if the hacker accessed emails that Palin had already read, the DOJ may have trouble using the SCA, since its own statements (though, thankfully, not the courts) seem to believe that hacking in and reading already read emails is not covered by the law.

Filed Under: email, hacking, justice department, sarah palin, stored communications