| Search |
| Navigation |
| Syndicate |
|
| User login |
fourth_amendment
Jayson Ahern, Deputy Commissioner, U.S. Customs and Border Protection, recently posted a blog entry at the Department of Homeland Security's site. In it, Mr. Ahern takes issue with the criticism that has been level against Customs and Border Protection ("CBP") in light of the news that they've been routinely nabbing laptops and other electronic devices, imaging the full contents, and sharing those contents with other agencies. It's a tired refrain of the typical DHS line: 1) we're at risk; 2) we've always been doing it, anyway, and you just didn't know about it; and 3) the courts say it's okay, so that makes it okay.
Leadership Journal: Answering Questions on Border Laptop Searches:
First, it’s important to note that for more than 200 years, the federal government has been granted the authority to prevent dangerous people and things from entering the United States. Our security measures at the border are rooted in this fundamental fact, and our ability to achieve our border mission would be hampered if we did not apply the same search authorities to electronic media that we have long-applied to physical objects--including documents, photographs, film and other graphic material.
Who knew that documents, photographs, film, and other material constituted "dangerous things?" Those things aren't dangerous, of course, and to characterize them as such is the way of the simple, who have no reasoned explanations for their mindless actions. Might those items contain information that might be used to commit harm? Probably. However, it is people acting, not the things in their possession, that cause harm and create dangers. That's true whether the items contain child pornography, bomb making plans, or obscene comic books.
In the 21st century, terrorists and criminals increasingly use laptops and other electronic media to transport illicit materials that were traditionally concealed in bags, containers, notebooks and paper documents. Making full use of our search authorities with respect to items like notebooks and backpacks, while failing to do so with respect to laptops and other devices, would ensure that terrorists and criminals receive less scrutiny at our borders just as their use of technology is becoming more sophisticated.
So, to, do many law abiding Americans and aliens, who might like "to be secure in their persons, houses, papers, and effects." The difference is one of need. In this modern era of electronic media, there's little reason to feel threatened by the transport of a laptop. There are countless smarter, more efficient ways that a devious criminal would find to migrate that data across the border. In fact, a laptop with a spinning hard drive is perhaps one of the worst. It's the clear electronic devices that are the least threatening.
The agency would be better off not lying to the American people and fully explaining what this is: a fishing expedition. Grab laptops and these other electronic devices, create images, and then use them either in the coming copyright enforcement battles or to simply watch and hope for the appearance of incriminating data.
This brings me to my third point, which is that travelers whose laptops are searched represent a very small number of people. As Secretary Chertoff noted in a recent op-ed,
"Of the approximately 400 million travelers who entered the country last year, only a tiny percentage were referred to secondary baggage inspection…[and] of those, only a fraction had electronic devices that may have been checked.”This number is less than one percent of people entering the United States. Contrary to some media accounts, we’re not rolling out a new strategy and screening an exorbitant number of travelers. We’re simply following a common sense border policy that has been in place for years, and has been reaffirmed by the courts.
Unless they're horribly misstating their case, there is a "common sense" policy that permitted the CBP to search the electronic devices of up to 4 million people entering the United States last year. One percent may, indeed, be a small percentage. However, 4 million people is not a small number of people.
I hope this has helped answer some of your questions. One of the lessons 9/11 taught us was that we must adapt to 21st century risks and anticipate rather than react to new threats. Our CBP officers are on the front lines every day ensuring that these lessons are heeded. We trust that travelers understand the need for these sensible security measures.
"One of the lessons 9/11 [has] taught" the rest of us is that those in power will use 9/11 as a ready justification for any unwarranted intrusion into the privacy of Americans and the expansion of governmental power and knowledge. Can Mr. Ahern look at the mirror after trotting out this 9/11 crap to support his points? More importantly, if this has been long-standing policy, backed by more than 200 years of authority, as he asserts in the posting, shouldn't we have better lessons than 9/11? What laptops with plans slipped through prior to 9/11 that permitted it to occur?
None, would be my guess.
That's not an uncommon question. The argument may be easy to buy into. Stored email is afforded little protection under the Stored Communications Act (SCA). Given those weak protections, why bother with the complexities of interception when they can simply be requested from the provider?
The answer is simple. Savvy users of email will limit their exposure to subpoenas for stored email. How? Control of mail servers is the most likely. Media conversion of email on delivery is another. International mail servers is yet another. There are others. What's more, the government always limit its access to a single type of network traffic. If agents are already sniffing for instant message traffic, there's no reason to expect they won't also go ahead and collect emal information. The end result is that the government, in spite of the ease of collecting email under the SCA, will still have motivation and opportunity to intercept email.
If the government is going to intrude on Americans' privacy protections online by intercepting Internet communications, assessing the protections of intercepted email remains important.
Update: Fixed broken link to audio file.
Got something to say about someone else's podcast? Be prepared to get put on the spot.
Yes, last week I commented on the most recent Curmudgeon's Corner podcast. This week, I'm on it. (Note: Yes, I am holding the lamp in the photo, after having given Sam the "G.I. Sam" haircut.) Find audio Nirvana here.
I have now made my first podcast appearance. Can't get enough of me droning on in my writings about the First or Fourth (and in some cases Fourteenth) Amendments? Now, experience the audio version.
Until yesterday, my paper on Fourth Amendment and statutory protections against interception of Internet communications had little directly related case law. Now I have the Ninth Circuit's decision in U.S. v. Forrester, in the matter of the second defendant, Alba. When I first read the headline, I was a bit concerned. After reading the rest of Prof. Solove's commentary, as well as the opinion itself, I am no longer.
That is to say, I am no longer concerned about the state of my paper. I am concerned about where the courts are going to take constitutional protections on the Internet. Many of my complaints continue to come down to many of the overly simplistic analyses of email transport on the Internet. Prof. Solove trumpets Prof. Kerr's work in the above post:
Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.
Kerr's work does often make this distinction, but it often does so with an apparent misunderstanding of how email transportation works. Judge Fisher, in the Forrester decision, follows a path of similar technical missteps.
First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties.
In fact, all telephone users rely on third-party equipment. However, there are decided differences between telephone numbers opening a circuit and the routers that route traffic to destination IP addresses. But the problem runs deeper, and this is a significant complaint of mine in the literature. This peering of email and Internet use, as if sending an email is somehow different, is what allows for this butchery. For instance, the next paragraph begins:
Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers.
An Internet email address without an IP network attached goes nowhere.
There is a useful (to me) diversion into an email/snail mail comparison:
The government’s surveillance of e-mail addresses also may be technologically sophisticated, but it is conceptually indistinguishable from government surveillance of physical mail. In a line of cases dating back to the nineteenth century, the Supreme Court has held that the government cannot engage in a warrantless search of the contents of sealed mail, but can observe whatever information people put on the outside of mail, because that information is voluntarily transmitted to third parties.
. . .
E-mail, like physical mail, has an outside address “visible” to the third-party carriers that transmit it to its intended location, and also a package of content that the sender presumes will be read only by the intended recipient. The privacy interests in these two forms of communication are identical. The contents may deserve Fourth Amendment protection, but the address and size of the package do not.
Oh, it does, indeed. Email has an outside address called an IP address. But beyond that, it has outside addresses called envelope addresses, as specified by the RFCs. These, the technical envelope specifications, are ignored in the literature, but they are key to using Prof. Kerr's envelope terminology. For something to be an envelope, it must surely have an impact on the delivery of a message. The RFC content of a message has no bearing on delivery, yet Prof. Kerr (and now the Ninth Circuit) appear to be perfectly willing to allow it to be intercepted.
And so, this is just another lousy decision, crafted not with an understanding of Internet communications, but with the more typical understanding, that seems to reflect the belief that a "send button" magically whisks an email message to some remote spot on the globe. In the case of the Ninth Circuit, that spot appears to be someplace that need not have even heard of IP addresses.
As I've previously written, what I consider a key flaw in current analysis of Fourth Amendment (and Electronic Communications Privacy Act) protections against interception of Internet communication is that it takes a narrow view of what constitutes communication on the Internet. The standard is "any information" that concerns the substance, meaning, or purport of a communication.
We should look to other forms of communication to arrive at a reasonable definition of Internet communication. I've suggested voice as the most pervasive. We don't permit the recording of waveforms of speech and only exclude transcripts. Without a warrant, the government may not record a telephone conversation.
When a person sends an email message, that form of communication is chosen, for whatever reason, over a telephone call. While the propagation of sound is required for meaningful oral communication by telephone, the propagation of properly formatted SMTP commands and RFC 822 message bodies are required for comprehension of the stream of bytes comprising an email message. Without that formatting, there is no substance, purport, or meaning of an email. In many cases, it won't be delivered at all.
The SMTP commands that transport a message across the Internet are, therefore, comparable to the use of voice to communicate across a telephone line. The courts and the Congress don't allow the recording of the electrical underpinnings that make up that voice communication. It makes little sense to allow recording of the commands and formatting that make up an email message.
If I can get to a point where I can substantively establish this, it becomes clear that what follows is protection of the application layer.
The Sixth Circuit Court of Appeals ruled today in Warshak v. United States. At issue, in part, was whether a person has a reasonable expectation of privacy in their email stored at their ISP, and if so, whether the non-warrant seizure provisions of the Stored Communications Act are valid under the Fourth Amendment.
The answers: Yes and No. Yes, Warshak did have a reasonable expectation of privacy in his emails, even though they were stored at his ISP. The court reached this decision in spite of U.S. v. Miller, which has been repeatedly abused to suggest otherwise. Miller held that a bank customer has no reasonable expectation of privacy in bank records, because they have been turned over to a third party. The pro-search-and-seizure crowd has run with this, claiming that Miller stands for the proposition that any content turned over to a third party voids a reasonable expectation of privacy.
The issue is whether email messages are actually turned over to a third party for storage. In Miller, information of bank transactions were necessarily turned over to the bank; how else would they track what a customer did? Distorting it to have a much broader scope simply made no sense. Similarly, in Smith v. Maryland, the Supreme Court held that there was no reasonable expectation of privacy in the phone numbers a person dialed, because they were necessarily turned over and often recorded by the phone companies in their normal courses of business. However, Smith did overturn Katz by any stretch, and in fact imposed the content/non-content divide that has been causing so much consternation.
The court flatly denied the argument that a third party receiving and holding email messages constituted the elimination of a reasonable expectation of privacy, because the third party in this instance was simply an intermediary, not a party the content was being shared with:
Compelled disclosure of subscriber information and related records through the ISP might not underermine the e-mail subscriber’s Fourth Amendment interest under Smith, because like the information obtained through the pen register in Smith and like the bank records in Miller, subscriber information and related records are records of the service provider as well, and may likely be accessed by ISP employees in the normal course of their employment. Consequently, the user does not maintain the same expectation of privacy in them vis- a-vis the service provider, and a third party subpoena to the service provider to access information that is shared with it likely creates no Fourth Amendment problems. The combined precedents of Katz and Smith, however, recognize a heightened protection for the content of the communications. Like telephone conversations, simply because the phone company or the ISP could access the content of e-mails and phone calls, the privacy expectation in the content of either is not diminished, because there is a societal expectation that the ISP or the phone company will not do so as a matter of course.
That is some good stuff right there. Yes, a user of a commercial email service may retain a reasonable expectation of privacy in the messages stored by that service.
And so, the big question, are those facets of the Stored Communications Act that allow such seizures without warrants (or other sufficient notice to make the seizures reasonable) facially valid?
The Sixth Circuit said no:
Under Berger, facial invalidation is justified where the statute, on its face, endorses procedures to authorize a search that clearly do not comport with the Fourth Amendment. A seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functionaly equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to exactly this.
Perhaps a less crushing finding, but also an important one, was the finding that Warshak had standing to file this suit at all. It would have been easy for the court to crumble under the Lyons argument put forth by the government and let this slide under the table. However, unlike Lyons, the court noted that it is government policy to seize email using the procedures of the Stored Communications Act, and with the prosecution of Warshak still ongoing, there's still reason to believe that he had standing to request that the government be enjoined from further illegal seizures of his email.
What didn't the court address that I sure would like some more court action on? The divide between content and non-content. However, this is big. Congratulations to University of San Francisco Professor Susan Freiwald (my Cyberspace Law prof and the reviewer of my paper), Professor Patricia Bellia of Notre Dame, and the Electronic Frontier Foundation as Amici Curiae on this matter.
Dialing, routing, addressing, and signaling. Pen registers and trap-and-trace devices are devices that may be used to collect the non-content portions of a communication. As I've previously written, contents refers to "any information concerning the substance, purport, or meaning" of a communication. Therefore, non-content dialing, routing, addressing, and signaling information is necessarily such information that does not concern any such information about a communication. Simple enough, right?
Well, it seemed simple enough to Congress. They proceeded with the intention to call an "email address" a communications "facility," moving it into the definitions of pen registers and trap-and-trace devices. This involves a convoluted notion that one communicates from email address to email address, much as one communicates from phone to phone. Obviously, this is nonsense, but that hasn't stopped law enforcement from seizing upon this expansion.
However, let's assume for a minute that an email address actually is a communications facility unto itself, and that when we communicate via email, the endpoints are actually email addresses. If we focus solely on the real-time interception of non-content information of an email communication, what is "dialing, routing, addressing, and signaling" information, and what is "any content concerning the substance, purport, or meaning" of that communication? Remember, this is still a message in transit across the Internet.
Here's what we know. Before the email message can be sent, there is already going to be a TCP connection established between the sending computer and the receiving computer. Only after the TCP connection is established may the actual communication take place. When that message gets to the remote computer, that remote computer is going to have to receive it, most likely via the SMTP. In this day and age of heavy spam and other deviousness online, it is very likely that the message is going to have to be formatted somewhat well in order to be delivered.
In order for a message to be properly formatted for receipt by the remote computer, the sending computer will send SMTP commands, continuing to send others, followed by the actual content of the message being sent, in response to replies from the remote computer. The sending computer will give, at a minimum, its name, the email address that is sending the message, the email address that is the destination of the message, and finally, the message. If these steps aren't followed, the message will not be delivered.
But there's more. Once a message is delivered, for a communication to be complete, the message must be read. There are many things that may be carried in a message to allow it to be understood. Obviously, the body of the message allows it to be understood. But we're concerned, also, with any information that concerns the substance, purport, or meaning of the message.
In a telephone call, a great deal of substance, purport, or meaning may be derived from the voice of the communicator. In email, there is no such voice. However, the sending address certainly gives a message voice. The personalizable "From:" header my also lend such a voice. Bayesian spam filters assign scores to a message based on tokens in the headers, and these can also lend a voice, as can such headers as message priorities and the "Received:" headers, which allow a message to be traced and in many mail programs, is used to sort messages by date (and not the "Date:" header.)
In short, the proper use of SMTP commands, the email addresses and addressing, as well as received headers and the nature of the contents of the headers all lend substance, purport, and meaning to a message. However, under the most common interpretations of the current laws, all of those pieces of content may be readily obtained by law enforcement agents under the Pen Register Act.
The Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq, places restrictions on the interception of communications contents, in accordance with the basic findings of Katz v. U.S. and some refinement in Smith v. Maryland. In § 2510(8), "contents" is defined as "any information concerning the substance, purport, or meaning of that communication." (emphasis added.)
In electronic communications, what standard must be met for information to concern the substance, purport, or meaning of the communication? That's an excellent question, and it's one I've been trying to answer. (I should probably note that "substance, purport, or meaning" is not the Supreme Court's language; however, the Supreme Court has cited that Congressional language on many occasions without obvious disagreement.)
Email is the context most often considered, especially after the USA PATRIOT Act attempted to make email addresses "communications facilities." The conventional wisdom with respect to email is that only the body of a message and maybe (maybe) the subject header is content. Everything else, the standard argument goes, is non-content. I disagree, and I think on a technical level this position is undermined by finding analogies to clearly protected forms of communications, but specifically telephone communications.
Those of us who understand email also understand that message headers are meaningful. In an age when nearly every message sent on the Internet will face at least one spam or virus filter, those headers lend substance and purport, because they enable a message to be delivered. In this age of massive Bayesian filters, where header tokens can classify a message as spam or not, message headers lend substance and purport.
But message headers do something more. They communicate the sender, as well as the chosen representation of the sender's name and email address. When I see who a message comes from, especially if I am forced to check the headers to see the path, substance and purport are immediately gained. In many cases, I must check those things to know who the sender was.
And where does this leave the telephone analogy? Imagine if oral communications (which have greater statutory protection, but use the same "contents" definition) were recorded, such that the spoken words were obscured, but the tones, inflections, and voices could be heard. What if we could record greetings of phone conversations to understand who the target was?
The government can't, at least not legally, without a warrant. However, the government may collect all of your message headers, intercepting them in bulk, without a warrant.
The big questions, then, are what do we mean by "any"? "Concerning"? "Substance"? "Purport"? "Meaning"? It's not entirely clear, and finding the appropriate law that can shed light on these issues is tough.
This is just the tip of the iceberg. There are, in my opinion, considerably more problems with the current analysis of the protections of electronic communications, and they almost all hinge on clearly broken ideas of how the Internet works.
More to come.
As I mentioned in my previous post, this is occupying much of my time these days. The general area concerns government surveillance of communications. It raises questions of just what protections Katz provided, and how they may be best applied to the Internet. Opinions run the gamut.
The most extreme anti-protection side says that Katz doesn't really apply at all. All communications on the Internet are exposed to third parties, and therefore, there is no reasonable expectation of privacy. The only protection for Internet communication is what the legislature promulgates. Right now, that's the combination of the Wiretap Act, the Electronic Communications Privacy Act and the USA-PATRIOT Act.
The most extreme pro-protection side feels that all communications should be protected, that that includes all Internet communications, and the wittling down of protections brought on by subsequent cases, like Smith v. Maryland and others.
Throughout the middle there's a lot of stuff. It's that stuff I'm adding to.
| Browse archives |
| IP/Tech Blawgs |
| Other Blawgs |
| Friends |
| USF Law Blawgs |