If the private emails of the head of the Central Intelligence Agency aren't safe from police snooping, how safe do you think yours are? As all of the world now knows, former general and CIA director David Petraeus and his biographer Paula Broadwell have engaged in some extramarital hanky panky. Without rehearsing the details of their liaison, the affair was uncovered when investigators from the Federal Bureau of Investigation raided their email accounts.
On what authority did the FBI obtain and read their emails? Largely its own. A senior FBI official or a federal prosecutor can simply issue an administrative subpoena, without a judge's approval, requiring an Internet service provider to turn over emails and other electronic records without notifying the user. Unless charges are filed or information is artfully leaked to the media as in the Petraeus affair, the user may never know that law enforcement has been prying into their private data.
How can law enforcement get away with snooping into our emails and other documents stored online? After all, the Fourth Amendment guarantees the right of citizens "to be secure in their persons, houses, papers, and effects," against unreasonable searches and seizures by government agents without a warrant based on probable cause. It is long settled law that the police must get a warrant approved by a judge based on probable cause to look at a citizen's personal mail or documents. But not if those documents are located on third party servers in the "cloud," argue the FBI and other law enforcement agencies.
The FBI's claim to be able to access your private emails and documents rests on the agency's interpretation of the Electronic Communications Privacy Act (ECPA) of 1986. When enacted more than 25 years ago, the ECPA updated wiretap monitoring and data storage provisions to protect against snooping by private third parties. The ECPA also required that law enforcement obtain a probable cause warrant from a judge to gain access to emails in transit, emails stored on a home computer, and unopened email stored remotely for 180 days or less.
However, the ECPA permits the police to use administrative and other subpoenas to look at opened emails and unopened emails stored remotely for more than 180 days whenever the police claim that they have "reasonable grounds to believe" that the information sought would be useful in an investigation. In contrast, the higher probable cause standard for obtaining a search warrant requires that the police show a judge the information being sought is actual evidence of a crime. The rationale justifying the use of a mere subpoena is that the opened emails are not being "stored" and those unopened for more than 180 days are "abandoned property" in which the owner no longer has any expectation of privacy. In addition, any messages in your sent box or draft messages are not considered to be stored and are thus open to police scrutiny.
Police snooping into our electronic communications is rising steeply as Google's Transparency Report earlier this month made clear. In the first half of this year, U.S. law enforcement made about 8,000 demands for user information and Google complied with 90 percent of them. Oddly, Google does not reveal how many of the police demands for information about its customers were backed by probable cause warrants.
The ECPA was adopted before online services offered their customers cheap massive storage. Remember when you had to clean out your AOL mailbox every few weeks? Now I have nearly 120,000 emails (mostly unopened) in my Gmail inbox. Currently, the police interpret the law as giving them the right to read nearly every one of my emails and attached documents should they persuade themselves that it might be useful to do so in the course of an investigation.
Did the FBI get a warrant to look at the emails exchanged by Petraeus and Broadwell? "We don't know," says American Civil Liberties Union legislative counsel Christopher Calabrese. He pointed to a number of conflicting accounts in the news that suggested that they could have been obtained by simple administrative subpoena and that perhaps a warrant was later issued as the investigation proceeded.
Earlier this year, Sen. Patrick Leahy (D-Vermont) had introduced the ECPA Amendments Act that would have required law enforcement to obtain a probable cause warrant from a judge to gain access through third party providers to private emails and other documents stored on the Web. In addition, the police would have had three days in which to inform the customer of the warrant and the information obtained. Customer notification could have been delayed if the police can persuade a judge that it would, among other things, result in endangering the life or physical safety of an individual, provoking flight from prosecution, or in the destruction of evidence.
The ACLU's Calabrese adds that the ECPA needs further strengthening by requiring law enforcement agencies to issue periodic reports on how extensively the police are using their electronic surveillance powers. Congress and the public cannot regulate or object to activities that they cannot see. In addition, the ECPA needs a provision specifically mandating that information obtained in violation of the amended act not be admissible in court.
Now comes possibly bad news. CNET is reporting today that Leahy has done essentially a 180-degree turn and is now proposing to amend the ECPA in ways that would dramatically expand the power of law enforcment to surreptitiously read and monitor the private online communications of American citizens. The revised legislation, according to CNET, "Grants warrantless access to Americans' electronic correspondence to over 22 federal agencies. Only a subpoena is required, not a search warrant signed by a judge based on probable cause."
However, Leahy's office (via Twitter) is denying the accuracy of the CNET report and insists that the proposed amendments to the ECPA will, in fact, require that "the disclosure of the content of email and other electronic communications by an electronic communication or remote computing service provider to the Government is subject to one clear legal standard — a search warrant issued based on a showing of probable cause." The Senate Judiciary Committee may vote on the amendments next week.
If it turns out that Congress will not defend us against intrusive government surveillance, perhaps the courts will. For example, in 2010 the U.S. Court of Appeals for the 6th Circuit in the case U.S. v. Warshak ruled, "The government may not compel a commercial ISP to turn over the contents of a subscriber's emails without first obtaining a warrant based on probable cause."
In the modern world, our private papers and communications are digitized and stored in the cloud. It is way past time that law enforcement's invasive surveillance powers be reined in by extending the Fourth Amendment's protections against unreasonable searches and seizures to cyberspace.
Disclosure: I am still a card-carrying member of the ACLU.