This article’s author discusses the influence that Sotomayor’s concurring opinion in U.S. v. Jones has already had on the White House, federal judges, and legal scholars. To recall, Sotomayor asserted in that case that the third party doctrine is no longer tenable in the digital age where individuals routinely convey a vast amount of information about themselves to third parties.
This article’s author suggests that Sotomayor’s position may have important ramifications for the NSA’s metadata program: Should the NSA’s metadata program ever reach the Supreme Court, “the high court will have to reckon with Sotomayor’s reasoning in Jones.”
This article raises a number of questions: Faced with challenges from legal scholars and civil liberties groups, is the third party doctrine likely to lose its judicial stronghold? More pointedly, will Sotomayor’s stance evolve into the Supreme Court’s majority position over time?
Article by Susan Lahey 5 February 2014: ECPA and A Reasonable Expectation of Privacy in the Digital Age
Since we just discussed the ECPA in class on Wednesday, I thought it would be a good idea to find an article on ECPA for my blog post. As such a hot-button issue, ECPA seems to always be in the news and there were no shortage of recent articles. I chose an incredibly recent one that I thought also summed up a number of issues we discussed.
The article, in summarizing a recent panel discussion on ECPA, focuses mainly on the cloud and the inherent privacy risks that the ECPA creates. As the article notes, the ECPA hasn’t been changed in nearly 30 years whereas technology has grown leaps and bounds. One panelist noted that a computer in 1986 (the year ECPA was enacted) could only store the data equivalent of two digital photographs.
The article, however, also did a good job noting the panelists who defended ECPA. That panelist questioned whether citizens can really have any privacy in the cloud. Since privacy laws were created to protect what was done in the home, communication done in a public forum arguably has no privacy right. Public activity such as cloud storage, tweets, Facebook posts, and information stored on servers in other countries shouldn’t be protected. The panelist further argued that people who store data in the cloud are trading privacy for convenience. The counter-argument, however, is that there is a difference between making information public and allowing the government to access your information.
The article also discussed the growing problem of intimidation tactics used by some investigators to access information. As the article notes, “For example, an investigator might say “The attorney general isn’t going to be happy with your refusal to cooperate.” As Robinson said, as an attorney, he knows to respond “The attorney general is your boss, not mine” and require that any requests follow proper channels. A company who doesn’t have a staff attorney might not know to do that.” Furthermore, the investigators often don’t understand the technology and ask the hosting company to conduct the research for them. The panelist supporting ECPA surprisingly supported the idea of charging fees for those kinds of services.
Finally, the article highlighted a discussion on the panel of what reforms to the law will be necessary going forward. Some ideas: protecting electronic information, limiting the discretion of certain agencies and lawmakers, and closing loopholes in the law.
All in all, I really thought this article, though it only summarized a panel discussion, did a great job highlighting some of the main criticisms of the ECPA, put forth potential solutions, and also offered a balanced defense of the legislation as well.
This is an article in the Daily Caller that criticizes Obama for not providing a more clear vision for how he aims to bring more balance to surveillance and data collection activities of the government. The article specifically proposes that the ECPA be updated and expanded to protect data in the cloud – which the article defines as private data stored on servers on the internet.
The author, Stephen Titch, observes that cloud computing had not been conceived of at the time of the ECPA’s passage. Moreover, cloud computing is unique in a number of practical ways that may require special treatment, at least with respect to government or third party access. Unlike traditional information storage, information on the cloud is continually accessible by the user in a way that does not require location proximate to the storage location. It is also used for a wide variety of promising practical applications (smart homes, driverless cars, and wearable computers) that are useful in personal everyday day-to-day activity. Moreover, usage in these personal everyday activities requires the divulging and storage of massive amounts of personal data. For instance, cloud usage in driverless cars would require constant divulging of one’s GPS location. Hence, the article notes that “companies involved in cloud technology will require a high degree of trust and goodwill from the marketplace if consumers are going to feel comfortable sharing data.”
Titch proposes extending ECPA protections to data that is collected in the cloud. Titch thinks this is important because the United States has already lost a lot of political capital and public trust in the US government’s respect for information privacy. He notes that a number of foreign companies have become hesitant or refused to store data in the United States.
An ambiguity that Titch does not address is exactly how the ECPA should be modified to address cloud storage – or if in fact the ECPA needs to be modified to address it. On an obvious reading, cloud storage appears to be clearly covered under the Stored Communications Act. This would be most obvious in cases where the data stored are traditional documents (like .pdf documents, mp3 files and the like). That said, in the case of uses like driverless cars, much of the data may not operate as stored communication so much as transmission. Driverless cars may, for instance, be using the cloud as an intermediary for transmitting data between a GPS satellite, a remote Google computer and the driverless car. On this reading, cloud storage may be covered under the Wiretap Act, as accessing cloud information would essentially involve “intercepting” information passing (through the cloud) from a driverless cloud to a remote Google computer or GPS satellite. On another reading, cloud storage may be covered under the Pen Register Act, since much of the information stored in the cloud may be purely incidental or irrelevant to any content that a user intends to send (such as GPS location). This is to say, it is not clear if the ECPA needs to be modified to address cloud storage and computing, but it is not exactly clear if cloud storage is a distinct “kind” that needs to be covered by the ECPA. Information seemingly could fit under any of the three Acts, which would make the ECPA sufficient. However, this ambiguity and the public conception of “the cloud” as a single type of medium, may be a good reason to explicitly designate “the cloud” as a type of medium that needs to be protected.
Forbes recently posted an article titled “Told Ya So: NSA’s Collection of Metadata is Screamingly Illegal.” The article claims that not only does the NSA’s metadata collection violate the constitution (specifically the Fourth Amendment), but that it is also forbidden because no law authorizes it and several laws forbid it. The NSA relies on section 215 of the Patriot Act which allows the FBI to obtain court orders for companies to produce “tangible things” that are “relevant” to an authorized foreign intelligence investigation.
The Privacy and Civil Liberties Oversight Board (“PCLOB”), a blue-ribbon panel looking into this issue found that section 215 does not provide an adequate legal basis to support the program because (1) telephone records acquired under in it have no connection to a specific FBI investigation, (2) they are collected in bulk and cannot be regarded as “relevant,” (3) it obligates telephone companies to furnish new calling records rather than just turning over records in their possession, and (4) the statute only permits the FBI to obtain items for its investigation rather than the NSA.
The article argues that not only is the NSA metadata collection not authorized by section 215, but it is also prohibited by the Electronic Communications Privacy Act (“ECPA”). Sections 2702 and 2703 of the ECPA prohibit phone companies from sharing their customer information records with the government except within a specific set of enumerated circumstances that does not include section 215 orders. This article presents a compelling case that the NSA metadata collection is not just unauthorized but actually violates the law. The secrecy of the program and the judicial proceedings related to it make it very difficult for the public to understand that the law is being violated and even harder to fight back against it.
However, the article is also a bit one-sided and may overstate its case by claiming that this metadata collection is “screamingly illegal.” The article claims that the data collection violates the fourth amendment as if it is a given, but the truth is more complicated. Under some relevant case law, the collection of metadata arguably is not a fourth amendment search because metadata does not constitute the content of the call/message. While there is an argument that the scale of data collection makes this unconstitutional, the article does not address it and just takes the fact that metadata collection is unconstitutional as a given. The article also overstated how obvious it is that the metadata collection violated the law.
Overall, this is an interesting article that does a good job explaining the laws that we studied in class and how they connect to the NSA metadata collection program in layman’s terms. It also provides a good summary of the findings of the PCLOB. However, by overstating its case, it loses some credibility. The authors would have been better off explaining the complexity of the counterarguments to their article in more detail rather than simply dismissing them as obviously wrong.
We are living in a time that is completely dominated by social media. Many people maintain a presence on several different social media platforms. We put an unprecedented amount of information out into the public sphere through these services, but most people have probably not considered the implications that third party doctrine could have on these social media communications. This article considers how third party doctrine could affect social media communications, including the potential privacy implications and the possibility for future development in this area of law.
Third party doctrine developed several decades ago, with the Supreme Court decisions in Smith v. Maryland and United States v. Miller. These cases found that warrantless government access of information individuals had shared with a third party – in Smith the information was shared with a phone company, and in Miller it was shared with a bank – was not a Fourth Amendment violation. The Court in Miller explained, “The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” An individual would have no legitimate expectation of privacy in any information shared with a third party, and the government would be free to obtain that information without a warrant.
Based on Miller and Smith cases, it seems clear that social media platforms such as Facebook would be considered third parties. This raises the concern that any information shared with them would therefore be available to the government without raising any Fourth Amendment violations. However, there have been significant technological developments since those decisions, and the Court has never ruled on third party doctrine as specifically applied to third parties in the digital age. The article notes that Justice Sotomayor’s recent dissent in United States v. Jones left open the possibility that the law could be changing in light of these concerns. She wrote in her dissent, “all information voluntarily disclosed to some member of the public for a limited purpose” is not necessarily “disentitled to Fourth Amendment protection.”
The article fleshes out the issue at hand by noting that while email communications have been given Fourth Amendment protection in spite of the third party implications, social media raises different, unique concerns. We do not yet have an answer on whether things like tweets or Facebook status updates are entitled to any Fourth Amendment protection – the article points out that “[c]ourts are still divided” and have “not yet [provided] clear guidance on this issue.”
Is this enough to constitute a reasonable expectation of privacy under the Fourth Amendment? Perhaps not, and the article even suggests that our widespread use of social media could actually be eroding our privacy rights, claiming “the very act of sharing parts of your life online, or agreeing to hand over your data recklessly, potentially weakens the constitutional protections awarded to us all.”
Whatever implications social media has for our privacy rights, Alan Butler, Appellate Advocacy Counsel for the Electronic Privacy Information Center (EPIC), asserts, “courts will be forced to update their Fourth Amendment analysis to adjust for new technologies.” In the meantime, all we can do is wait for the courts to clarify how third party doctrine will affect social media privacy. This is clearly an area of law that is ripe for further development.
Given our discussion of the ECPA and the third party doctrine I decided to look for an article discussing the protection, or lack thereof, for cell phone meta data.
This article raises several issues we identified in our discussions of U.S. v. Jones and the ECPA. Specifically it addresses Obama’s statement regarding the NSA surveillance program that the NSA was not listening to citizen’s phone calls or reading their e-mails. The article rightly states that this distinction between content and non-content is disingenuous. This distinction aims to reassure the American people that their expectation of privacy is not being violated or at the very least minimally invaded. As the author points out, while metadata may not contain what is traditionally thought of as “content”, it can be very revealing. Meta data can provide insight about an individual’s location, political affiliation, social network and location. Further, according to the article and a Nature study cited in the article, “four data points about the location and time of a mobile phone call made it possible to identify the sender 95 percent of the time.” The article also focuses on how metadata is more valuable to the NSA as it cuts down on the traffic the NSA must assess and is easier to organize, and detect patterns.
Given the value and power of metadata, it is concerning that there are gaps in its protection under current privacy law. Metadata does not appear to be sufficiently protected under the ECPA. The article notes that metadata is the “least protected form of communications information”. The NSA reportedly was gaining access to cellular metadata under the pen register act. This means they gained the metadata upon a showing that the information likely to be obtained was relevant to an ongoing criminal investigation.
Given the Court’s acceptance of the third party doctrine, even the judicial system could fail to protect one’s expectation of privacy in his or her metadata. This article brought to mind Justice Sotomayor’s discussion of the third party doctrine in her concurrence in US v. Jones. As Sotomayor noted, the third party doctrine is ill suited to the digital age. As technology advances, individuals are sharing a wealth of information about themselves without realizing the implications of their actions. An individual may understand that their cellular phone will reveal their location to their service provider, but they may not reasonably suspect that “their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits…”
Overall, I think this article is useful in understanding the basic objections in the recent NSA surveillance controversy.
In the months following former National Security Agency (NSA) contractor Edward Snowden’s leak of a large number of top secret NSA documents revealing that the agency’s broad surveillance programs were sweeping in the information of millions of domestic electronic communications users, internet giants such as Google and Microsoft, and later, telecom providers including AT&T and Verizon, have petitioned the Justice Department for permission to release information related to government requests they’ve received that seek user information. After negotiations with the government over the content and format of permissible disclosures, certain companies are beginning to publicly report such information. On January 22, 2014, Verizon released its first Transparency Report for the 2013 calendar year. The first report of its kind from Verizon, with significantly more detail than reports previously released by other companies, the Transparency Report adds a significant amount of clarity to our understanding of the type and volume of government requests for caller information – an understanding that has previously been clouded by incomplete data on requests for information relating to the location and identities of targeted callers, which law enforcement officers obtain by subpoena, or by court order under the Pen Register Act (PRA), and certain expansions thereof under the FCC’s interpretation of the Communications Assistance for Law Enforcement Act (CALEA). The report reveals a startling number of information requests, particularly by subpoena, and under the broader and more lenient provisions of CALEA.
In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), which significantly updated the law governing the ability of law enforcement agencies to intercept oral communications made telephonically or through other electronic media, and access content and user information related to non-oral communications sent and stored electronically. The PRA was passed as Title III of the ECPA, and specifically addressed law enforcement’s capabilities to obtain the telephone numbers dialed from a particular targeted telephone (traditionally obtained in real time through a device known as a pen register), as well as the numbers of incoming calls to that targeted telephone (traditionally obtained in real time through a trap and trace device). A court order to use such devices would be issued upon a showing that the information likely to be obtained through their use would be relevant to an ongoing investigation – an exceedingly low standard, particularly as compared with the requirement supported by a showing of probable cause necessary for a court order to be issued under other provisions of the ECPA. In response to the emergence of new communications technology which created barriers for law enforcement agencies attempting to access information transmitted or stored by communications carriers, in 1994 Congress passed CALEA, which at its core, requires that all telecommunications providers have a means to provide law enforcement agencies with information they have legal authorization to access in the course of an investigation. In a case challenging the surveillance capabilities that were interpreted by the FCC as necessary for telecommunications companies to provide under CALEA, the D.C. Circuit court upheld the requirement that carriers make available the physical location of the antenna towers that mobile phone users connect to throughout a call. Analogizing to the location information typically obtained by accessing phone records gathered from pen registers and trap and trace devices, the court reasoned that providing access to such location information from antenna towers instead, was not an expansion of previous law enforcement capabilities under the PRA, and was thus consistent with CALEA’s legislative mandate. Notably, however, because such information is not obtained under the PRA – because no pen registers or trap and trace devices are used in the collection of location information from antenna towers – the authority for gathering such information falls under CALEA, backstopped only by the 4th Amendment, which does not generally protect such information.
While the Transparency Report revealed that only approximately 6,300 pen register and trap and trace device orders were received, Verizon disclosed that approximately 35,000 requests to produce location information were received. Among those, 11,000 requests were pursuant to warrants, while 24,000 requests were pursuant to court orders. These numbers show a disturbingly great desire for user location data. For example, Verizon received around 63,000 general orders, half of which it described as requiring “the same types of basic information that could also be released pursuant to a subpoena.” This would include information such as user names, addresses, and a list of phone numbers called, which law enforcement officers can obtain by subpoena, in the course of an investigation without judicial approval. Location data is particularly sensitive to many people, as it reveals not only who we were, but where we go. The fact that less than one third of this information was obtained pursuant to a warrant – only issued upon the requisite showing of probable cause mandated by the 4th Amendment to the U.S. Constitution, which many citizens believe is the standard that must be met before their personal information can be gathered by law enforcement agencies – illustrates the high rate at which such information is being disclosed pursuant to a far lower standard.
Still more unsettling, is the revelation that 3,200 warrants or orders were for “cell tower dumps.” According to the report, “[i]n such instances, the warrant or court order compelled [Verizon] to identify the phone numbers of all phones that connected to a specific cell tower during a given period of time.” Such requests seem inherently overbroad, and as described by the ACLU, are “ripe for misuse.” For example, in one known instance, police in Michigan requested a cell tower dump to gather information on all cell phones that were congregated in a particular area, because of purported concerns of a possible riot. There was, however, no riot, and it was discovered that the only planned congregation in that area was an organized labor protest. As described by Stephen W. Smith, a federal magistrate in Houston, prosecutors have been using requests for location information as “a surreptitious tracking device,” demonstrating that law enforcement has conceived of methods for using location information that are far more insidious than a mere ex post examination of user data.
Verizon reports that such requests are up substantially from 2012, and are expected to continue to rise. While Verizon has taken an important first step toward increasing the transparency of law enforcement surveillance practices, other carriers should follow Verizon’s lead and provide statistic that are more disaggregated. Moreover, the Justice Department should recognize the great public interest in increased transparency and enable Verizon and other carriers to issue more comprehensive disclosures with data disaggregation, and report more detailed explanations of the type of information requested, the effect on individual users, and the legal basis for such requests. Absent Congressional action or a change in law enforcement practices, only increased disclosure and transparency can assure the public that surveillance abuses are not taking place.
For all of you Android users, there’s an app for that. The Android app alerts users when their location data is being accessed by apps on their phones. It also identifies which apps are accessing the information. It will be available in Google Play in the next couple of months. There’s also an an app available in the Apple Store called ProtectMyPrivacy. Unfortunately for iPhone users, the app requires the users to first jailbreak their phones.
I included this article because I thought students might find it useful. The developer of the Android app hoped that it would encourage Google and Android apps to provide more prominent disclosures and collect less personal information. Ultimately, consumers will decide whether they want to exchange their privacy for Flappy Bird and Facebook, but at least they will know that they are making that choice.