[A federal appeals court last week tossed out a prosecution of Bradford Councilman in which he was accused of unlawfully reading e-mail on a computer he controlled. The immediate reaction from many corners was that this is a travesty of justice: Our privacy is forever lost! I'm not so sure. It seems to me that the folks who are most upset about this haven't read the court's opinion carefully, and those that have are discounting the ability of state law and tort sanctions to keep people in line. There are other mechanisms than just federal wiretapping law that can enforce good behavior. Following are three interesting replies on the topic shamelessly stolen from Dave Farber's list. --Declan] --- http://www.politechbot.com/2004/07/06/isp-wiretapping/ From: "sbaker@private" <sbaker@private> Date: July 2, 2004 9:55:17 AM EDT To: "'dave@private'" <dave@private> Cc: "Albertazzie, Sally" <SAlbertazzie@private> Subject: RE: [IP] more on more on E-mail intercept ruling - good grief!! Dave, There's been a real overreaction to Councilman. Meanwhile, we're missing a more important problem with the law of electronic communications. Broadly speaking, federal law recognizes three levels of protection for electronic communications -- real-time intercepts are treated as wiretaps and get the highest level of protection, stored communications get intermediate protection, and traffic data (who you sent messages to, how big the files were, etc.). The top tier of protection is ferocious, requiring extensive judicial oversight of the law enforcement intercept and providing criminal penalties for private taps. The bottom tier is not protected very well at all (in fact, there are several categories at the bottom with varying levels of protection that I'm skipping over). In the middle are stored communications, which are pretty well protected; they can't be obtained without a search warrant, for example, and it's a crime to access them without authority. When stored communications were first put on this intermediate step, the category was intended to be quite small -- it covered only communications stored as an "incident to" the transmission. The most obvious category is email stored in a Hotmail account before the recipient has read it. But the courts have found this narrow definition to be a weird and unsatisfying reading of the words "stored communications," and they've begun to stretch the category into something that more closely resembles what most people would consider "stored" communications. The result has been both to push some communications off the top tier and into the middle tier and to pull a vast amount of material out of the bottom tier and up to the middle tier. Thus, in the Ninth Circuit's Theofel case, if you read an email in your Hotmail account, then leave it stored in your mailbox, that read email is still treated as a stored communication, even though it really isn't stored "incident to transmission" any more. In short, "already read" email now can't be obtained except with a search warrant and they are protected by the criminal sanctions on unauthorized access. The Councilman decision of course expands the category of stored communication from the other direction, moving in-transit storage from the top tier to the middle tier. Frankly, of the two, by far the more important decision is the Ninth Circuit case (called Theofel). It vastly increased the quantity of heavily protected personal information compared to the modest, cheese-paring change made by Councilman. Somehow, though, I don't remember a big flap about how the Theofel case misunderstood the law or improperly allowed changing technology to move information from a largely unprotected to a heavily protected category. Understanding these distinctions should help address Peter Swire's concern. Even if VOIP intercepts could be conducted by digging content out of intermediate in-transit storage, and even if the Councilman case makes that legal (there's a big distinction between how a vague criminal statute is construed and how a vague intercept authority would be construed), law enforcement would still be required to get a search warrant to perform the intercept. Since, at its most aggressive, the 4th amendment only requires that law enforcement get a warrant for a search, it would be hard to find a constitutional objection to intercepts conducted with a warrant. Maybe Congress should look again at both Theofel and Councilman to decide whether we want a technical, narrow approach to protecting stored communications or a broad, more common-sense reading of that term, but that doesn't strike me as particularly urgent; indeed, from a policy point of view, I think the courts may have got this about right -- in both directions. Internet civil libertarians would be wiser to focus on a more substantial problem distorting Net architecture -- the extraordinarily low protection given to traffic data on the bottom rung. It's so easy to get traffic data today that law enforcement has begun distorting CALEA, which was meant to protect law enforcement's intercept capability, into a mechanism to protect law enforcement access to cheap, abundant traffic data. In short, the government is so in love with the data on the bottom rung that it's forcing hardware, software, and Internet service providers to recentralize the Internet in order to generate and make that data more readily available. Giving more protection to the bottom rung would probably increase privacy and diminish the Justice Department's enthusiasm for rewiring the Net. Stewart Baker From: Peter Swire <peter@private> Date: July 1, 2004 2:52:11 PM EDT To: dave@private Subject: RE: [IP] more on E-mail intercept ruling - good grief!! Reply-To: peter@private Dave: On VOIP interception, there is a statutory and a constitutional issue. The statutory issue is whether VOIP is a "wire" communication (like a phone call) or an "electronic" communication (like an e-mail or web communication). The Councilman court said that "wire" communications are considered "intercepted" even if they are in temporary storage. The key holding of the case was that "electronic" communications are not "intercepted" if the wiretap takes place while the communication is in temporary storage. "Wire communication" is defined as "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable or other like connection between the point of origin and the point of reception." I do not know whether a court has ruled on whether VOIP counts as a "wire communication." Quick research just now suggests we don't have a case on that yet. I can see arguments either way, based in part on whether a packet-switched communication counts as "aural." Under Councilman, if VOIP is an "electronic communication", then the provider therefore could intercept the VOIP calls for the provider's own use without it counting as an "interception." Providers already can intercept communications with user consent or to protect the system, but this would be blanket permission to intercept communications. The constitutional question is whether users have a "reasonable expectation of privacy" in VOIP phone calls. Since the 1960's, the Supreme Court has found a 4th Amendment protection for voice phone calls. Meanwhile, it has found no constitutional protection for stored records. In an article coming out shortly from the Michigan Law Review, I show why VOIP calls quite possibly will be found NOT to have constitutional protection under the 4th Amendment. It would then be up to Congress to fix this, or else have the Supreme Court change its doctrine to provide more protections against future wiretaps. Article at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=490623 . Peter Prof. Peter P. Swire Moritz College of Law, Ohio State University John Glenn Scholar in Public Policy Research (240) 994-4142, www.peterswire.net > Date: Sun, 4 Jul 2004 13:27:09 -0400 > From: Marc Rotenberg <rotenberg@private> > Subject: Re: Councilman -- OK to wiretap emails if you do it carefully > > This is a very interesting discussion. I agree with Dan Solove, > Patricia Bellia and others that there are obviously larger concerns > with ECPA than how Councilman was decided. > > It might be useful to explain some of the events that contributed to > the 1986 amendments. The ECPA is an unusual privacy statute. It was > not a response to a particular "privacy Chernobyl," to borrow > Senator Wyden's phrase, such as the death of Rebecca Schaeffer which > led to the Drivers Privacy Protection Act or the disclosure of Judge > Bork's video rental records which produced the Video Privacy > Protection Act. It was the result of the convergence of many factors > and a fairly deliberative process. > > There was, first of all, the emergence of commercial email service > providers, such as Compuserve and MCIMail in the early '80s. While > Internet email existed for some time, the operators were typically > universities and private federal contractors, such as BB&N. The rise > of the email business with paying customers and terms of service > required closer consideration of legal rules. > > Next, there was a letter from the Attorney General to Senator Leahy > expressing the view that traditional "Title III" standards, a > reference to the provision in the 1968 act which created the federal > wiretap law, did not apply to this new form of communication. This > created an opportunity for Congress and the Department of Justice to > begin a discussion about updates to the federal wiretap law. > > There were some privacy problems that Congress wanted to fix, such > as the recent decision in Smith v. Maryland, which had held that > there was no Fourth Amendment protection for access to pen register > information. There were also some law enforcement concerns that the > Department of Justice hoped to address. > > And then there were other developments that shaped Congressional > perceptions of both privacy concerns and new communications > services. 1984 was a big year in the privacy world because of > Orwell's novel. The House Judiciary Committee undertook an extensive > series of hearings on "Civil Liberties and the National Security > State." Conclusion: lots of new threats to privacy, but also an > opportunity for Congress to update the law. Rep. Kastenmeier, who > organized these hearings, would later became the House sponsor of > the '86 amendments to the federal wiretap act. > > 1984 also was the year of Judge Green's decision and the MFJ that > led to the break-up of AT&T, as well as passage of the Cable Act. > There was a growing recognition that there would be more private > sector communication services. Significantly, the deregulatory push > for new communications services was not seen as a reason to avoid > privacy legislation. That coupling did not emerge until the Internet > boom of the late '90s. And, as Mark E. noted, the Cable Act of 1984 > incorporated the strongest privacy standards of any US privacy law. > > In broad strokes, ECPA sought to achieve two goals. First, to apply > Title III protections to "electronic communications," not simply > wire communications. Second, to establish legal standards for access > to email in the possession of the service provider. While it is > clear that there are different standards under the the Wiretap Act > and the Stored Communication Act, the categories that resulted from > the 1986 amendments were then viewed as complimentary efforts to > protect the privacy of electronic communications. The "tiering" that > some have noted resulted more from the effort to address specific > problems -- extend coverage to electronic communication, create > safeguards for stored communications, establish statutory standards > for access to pen register and trap and trace data -- than to > formally order the privacy protection for each type of information. > > This is the significance of the dissent in Councilman. Judge Lipez > captured the intent of the Act and the problems that will result > from the majority's decision. It is hard to imagine that the > Congress that passed the 1986 amendments believed that an ISP would > afterward be able to routinely review the contents of subscriber > email. > > Orin may be right that the simple solution at this point is to > amend the definition of intercept. Still, one wonders what Congress > could have done differently in 1986 to produce a different result > in Councilman. > > An interesting contrast with the US efforts to establish privacy > protection for electronic communications can be found in the EU > Directive on Privacy and Electronic Communication. The Europeans > have tried to address some of the post-1986 electronic privacy > issues, including Caller ID, transactional data, and locational > information. But they have also encountered new challenges such as > whether to require the retention of customer data. Data protection > laws generally discourage the collection of transactional data, but > law enforcement concerns joined with post 9-11 datamining efforts > have put pressure on ISPs and telcos to keep customer data, and the > legislative resolution has largely been left to the member states. > > Marc Rotenberg. _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Tue Jul 06 2004 - 22:15:24 PDT