Month: April 2016

Legislators Continue to Drag Feet on ECPA Reform

By: Alex Schindler (Panel 4)

The way we transmit and store our information by electronic means has changed dramatically since 1986, so why hasn’t the Electronic Communications Privacy Act? As government surveillance powers and the technological means of exploiting them have expanded in three decades, an archaic loophole has remained, allowing law enforcement to subpoena or otherwise access “stored communications” older than 180 days with less than probable cause and a warrant. This remains law on the books even after the Sixth Circuit’s 2010 decision in United States v. Warshak granted email the same privacy protections due physical mail. As some would tell it, law enforcement agencies are to blame for the failure of Congress to fix this statutory oddity despite bipartisan support, popular pressure (at least since the Snowden revelations), and lobbying from civil rights advocates and technological industry leaders alike.

Bipartisan reform proposals have emerged in both the Senate and the House. Senators Patrick Leahy (D-Vermont) and Mike Lee (R-Utah) introduced the Electronic Communications Privacy Act Amendments Act (S. 356), which like its House counterpart the Email Privacy Act (H.R. 699, advocated by Reps. Jared Polis, D-Colorado, and Kevin Yoder, R-Kansas) closes the antiquated 180-day loophole. In December 2015, Slate reported that S. 356 had 25 cosponsors and H.R. 699 had 306—the latter constituting an easy House supermajority. Even the White House has been a voice in favor of increasing privacy protections in our digital ear: former Attorney General Eric Holder supported a warrant requirement for email searches in 2013, and President Obama’s “big data report” called for ECPA reform the following year.

Yet a vote on these ECPA reform bills has been consistently delayed for years. A markup and vote on the House bill is finally scheduled for April 13^th, and the markup will no doubt reflect the concerns of the institutions who have presented the major counterweight to a seemingly popular position: law enforcement agencies. They are also responsible for the many delays.

In September, an SEC director testified before the Senate that its investigations would be hindered if it could not easily access personal content stored by online service providers. Five months earlier, the agency’s chairperson Mary Jo White testified that its investigations would be hindered if it could no longer use its administrative subpoena power to access content information (one which hinges on a “relevance” standard rather than the stricter probable cause requirement envisioned by the reform). And indeed, such has been the pattern for years: despite an unusual confluence of interests between powerful corporations and civil rights advocates, the advocates of robust law enforcement powers have delayed and hobbled ECPA reform.

In two weeks we shall see whether markup of the House bill carves out exceptions for civil agency investigations, as demanded by the SEC. Either way, privacy advocates will continue to oppose ad hoc distinctions in the law regarding expectations of privacy in email and other digital communications, or special exemptions for government agencies.

Information Privacy Post

By: Paul J Mancuso

The Department of Justice recently dropped its case against Apple after the FBI managed to unlock the iPhone of one of the shooters in the San Bernardino terror attacks.  The DOJ had previously obtained a court order that would have required Apple to write software to access the iPhone.  However, the dispute between the technology industry and law enforcement over access to encrypted information is not over.  While the DOJ waged its public fight with Apple over access to the locked iPhone, the government considered how to resolve its separate standoff with Facebook over access to its messaging application, WhatsApp.

The DOJ is currently pursuing a criminal investigation in which a federal judge has approved a wiretap, but investigators are frustrated by WhatsApp’s encryption.  WhatsApp has “end-to-end encryption,” according to which only intended recipients are able to read the messages.  In contrast to the iPhone dispute, as The New York Times reports, the wiretap order and all of the information associated with it are under seal.  As Nate Cardozo comments for the Electronic Frontier Foundation, it appears that the DOJ has not yet asked the court for a follow-on order that would compel WhatsApp to decrypt the messages.  If the DOJ were to do so, it would base its motion on the “technical assistance” provision of the WireTap Act.

As The New York Times reports, “investigators view the WhatsApp issue as even more significant than the one over locked phones because it goes to the heart of the future of wiretapping.” Although for the past fifty years the DOJ has relied on the wiretap as a fundamental tool to investigate and fight crimes, law enforcement officials are nowconcerned that encryption technology renders useless wiretaps in the future.  As a result, it is expected that Senators Richard Burr and Dianne Feinstein of the Senate Intelligence Committee will soon introduce legislation that will expose technology companies to civil penalties for refusing to comply with court orders to help investigators access encrypted data.  Although Reuters reports that the proposal is unlikely to gain traction in the House of Representatives, which supports digital privacy in the wake of the Snowden revelations, Robert Litt, the top U.S. intelligence community lawyer, thinks “momentum on the issue could turn in the event of a terrorist attack or a criminal event where strong encryption can be shown to have hindered law enforcement.”

http://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie-wiretap-order.html?login=email

http://www.reuters.com/article/us-apple-encryption-legislation-idUSKCN0WB2QC?feedType=RSS&feedName=technologyNews

https://www.eff.org/deeplinks/2016/03/next-front-new-crypto-wars-whatsapp

https//news.vice.com/article/fbi-unlocks-san-bernardino-iphone-and-drops-case-against-apple

Maryland Court says Use of IMSI Catchers Violate the Fourth Amendment

By Nicole Kramer

The following blog post was written following an article featured on Fortune’s online platform, and can be found here.

On March 30, 2016, the Maryland Court of Special Appeals issued an opinion written by Judge Leahy that found that the Baltimore police departments’ use of IMSI catchers to track suspects’ phones without search warrants, violated the Fourth Amendment as an unreasonable search.

IMSI catchers such as the Hailstorm at issue in the Maryland case, are eavesdropping devices that intercept mobile phone calls and help determine a users precise location, thereby “transform[ing]” mobile phones into “real-time tracking device[s].”[1] Such devices are increasingly being used by law enforcement agencies without warrant raising significant privacy concerns. In Baltimore alone, it is estimated that the technology has been used in at least 2,000 investigations.[2]

The Baltimore Police Department had relied on an approved application for a pen register/trap & trace order on the suspect’s cell phone to locate and arrest the petitioner in this case. One argument that arose in the lower court arguments was that, unlike with GPS or cell site information, information gathered with IMSI catchers was not generated willingly by the phone, rather the technology “forc[ed] the phone to emit information”[3] and identify itself. The information was not merely available to anyone who wanted to look for it; it was not “readily available and in the public view.”[4] And this fact weighed heavily in the court’s opinion.

In the opinion, Judge Leahy discussed Justice Douglas’s dissenting and concurring opinions in Osborn v. United States, Lewis v. United States and Hoffa v. United States which raised a fear of a society becoming more accustomed to “surveillance at all times.”[5] She sided with the court in Katz, especially Justice Harlan’s concurrence, which offered individuals strong protection against unreasonable searches and seizures in the face of advancing technology. The court ultimately found, in accordance with the Supreme Court rulings in Karo, Kyllo, and Jones, that Justice Harlan’s two-part test should be applied, and that “people have an [objectively] reasonable expectation that their cell phones will not be used as real-time tracking devices by law enforcement,”[6] and therefore that the use of such technology required a search warrant imposing reasonable limitations on the scope and manner of the search.[7] The court further added that the prior case law established that the “use of surveillance technology not in general public use to obtain information about the interior of a home, . . . is a search under the Fourth Amendment.”[8]

However, as the court noted, there are some exceptions to this conclusion. The court first looks to the Third Party Doctrine and United States v. Miller and Smith v. Maryland, but ultimately rejects this exception. The doctrine “provid[es] that an individual forfeits his or her expectation of privacy in information that is turned over to a third party.”[9] The state argued that the petitioner forfeited his expectation of privacy by carrying a cell phone that he knew would be communicating with nearby cell towers. But in these cases and those that followed from it, including Graham, it remained necessary that the user voluntarily convey the information to a third-party.[10] Which did not happen in Andrews.

The Maryland Court ruling was a success for privacy advocates. The state’s attorney general has not stated whether his office will challenge the ruling.

[1] State v. Andrews, 2016 Md. Ct. Spec. App. LEXIS 33, *1 (March 30, 2016).

[2] David Z. Morris, Maryland Court Says Phone Tracking Unconstitutional, Fortune (April 3, 2016, 4:22PM EDT), http://fortune.com/2016/04/03/maryland-court-phone-tracking/.

[3] Andrews at *19.

[4] Id. at *59.

[5] Id. at *28.

[6] Id. at *2.

[7] Id. at *65.

[8] Id. at *50.

[9] Id. at *65.

[10] Id. at *69-70.

Smith v. Maryland, Third Party Doctrine as Applied to Reddit Users

Naadia Chowdhury

This past Friday, Reddit users were concerned about government internet surveillance and the privacy of their data. In its annual report, Reddit typically lists the kinds of requests it gets for its consumer information and for complaints to remove content. Reddit’s latest annual report was missing a paragraph that typically says Reddit did not receive a national security letter to conduct electronic surveillance. This indicated to users that the government may have sent Reddit a national security letter allowing the FBI to conduct surveillance and access user information without a warrant or court order.¹

To become a user on Reddit, you do not need to disclose a lot of information. Potential users create a username and disclose their email addresses. Compared to other social platforms, there is not a lot of directly identifiable information. It can be argued, however, that an email address is enough information to track down an individual.

Even if the FBI was not working under the national security exception to the requirement of getting a warrant or court order to complete surveillance, it seems unlikely that Reddit users could successfully argue they have privacy rights against the government from accessing their information. Based on Smith v. Maryland, Reddit users do not have a legitimate expectation of privacy regarding their information because they disclose their email addresses and activities on Reddit to Reddit employees and the company. Any information a Reddit user discloses is information he or she voluntarily conveys to the company and therefore, assumes the risk of having their information revealed to a government official.

In United States v. Forrester, the Ninth Circuit Court of Appeals determined internet users have no legitimate privacy expectations in the IP addresses of the websites they visit. The information Reddit users disclose seem analogous to this case and so, users have weak legal protections in their information.

It is still not clear if privacy policies that companies have will alter the analysis courts undertake to determine whether there is a legitimate expectation in privacy. It would be logical that the assumption of the risk a user undertakes when registering on a website with a privacy policy guaranteeing to keep the user’s information safe would be altered and be a more limited assumption. If Reddit provides a privacy policy, perhaps an argument can be made, but as of 2008, protections against government electronic surveillance are fairly weak under the Smith test.

From Apple to Lavabit: The ECPA and the Legal Struggles Surrounding Encryption

By: Debra Slutsky

Although the FBI dropped its lawsuit to compel Apple to assist it in unlocking one of the San Bernardino shooter’s iPhones, the case provides insight into how the Justice Department grapples with modern digital communications using existing law. According to Kim Zetter’s article in Wired, Long Before the Apple-FBI Battle, Lavabit Sounded a Warning, such a struggle between the Justice Department and tech companies, specifically those that offer encrypted communication services, is not new. Zetter writes that Lavabit “made a surprising cameo this month in a brief filed by US attorneys in that case. The attorneys invoked the Lavabit case in a footnote as part of a threat to Apple…” However, as the Lavabit and Apple cases demonstrate, the channels available to the government for accessing such communications are largely legally untested and dependent on law that contemplated a much more primitive technological landscape.

In the Apple case, attention was brought to the government’s use of the All Writs Act, a 227-year-old-law that grants judges the authority to issue writs, or orders, to compel parties to perform acts within the bounds of law. Through the All Writs Act, The FBI sought to force Apple to build a backdoor into its iOS operating system in order to access encrypted iMessages. The case has also brought spotlight to the Pen Register Act. The Pen Register Act is a component of the Electronic Communications Privacy Act (ECPA) of 1986. While originally intended to record outgoing telephone numbers dialed, the Pen Register Act was expanded by the Patriot Act to include IP addresses and email headers. In 1979, the significant case Smith v. Maryland affirmed that the use of a pen register by a telephone company does not violate the 4^th Amendment. This metadata permissibly collected, however, provides deeper insight than just the frequency and duration of phone numbers. This was noted in Smith v. Maryland by Justice Stewart in his dissent, where he wrote that telephone metadata, “although certainly more prosaic than the conversation itself – [is] not without ‘content’…I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have dialed. This is not because such a list might in some sense be incriminating, but because it easily could reveal…the most intimate details of a person’s life.”

Similarly, in 2013, the FBI obtained and served an order pursuant to the Pen Register Act upon Lavabit founder Ladar Levison. The order permitted the FBI to obtain information sent to and from the target’s email account, Edward Snowden. Since Lavabit employed SSL encryption to protect transmitted data, the order further required Levison to provide the SSL keys to access Snowden’s emails. Lavabit’s roughly 400,000 subscribers would be placed at risk of having their emails vulnerable, since the company used only five SSL key-pairs. Levison planned to challenge the order, but lacking financial resources, he was forced to represent himself pro se during initial proceedings. He was held to be in contempt of court after refusing to comply with the order to hand over Lavabit’s encryption keys. On appeal, the contempt order was affirmed, and the appellate judge never addressed Levison’s challenge to the underlying legality of the Government’s use of the Pen Register Act to obtain SSL keys since he did not properly object to that issue during the earlier proceedings.

In its case against Apple, the Justice Department cited to the Lavabit case for the proposition that its pen register order to produce SSL encryption keys was affirmed on appeal. Levison took to Facebook to publicly state that the Government’s language was “incredibly misleading” as to the appellate court’s actual ruling. The statement is accurate. As the law stands, the Government has wide ranging authority to obtain pen register orders to access digital communications. The bounds of Government authority to obtain digital communications and the lengths it may go to compel third parties to assist in such measures is, however, ripe for review. The Lavabit and Apple cases both concluded before ever reaching a definitive ruling. With encryption becoming the standard for digital communications, a case is bound to arise in the near future that will definitively rule on the issue.

Sources:

• http://www.wired.com/2016/03/lavabit-apple-fbi/
• Smith v. Maryland, 442 U.S. 735 (1979)
• In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014)
• http://www.smithsonianmag.com/smart-news/what-all-writs-act-1789-has-do-iphone-180958188/?no-ist