Appeals court rules in e-mail wiretapping case: So what? [priv]

[Declan McCullagh <declan () well com>]

[A federal appeals court last week tossed out a prosecution of Bradford
Councilman in which he was accused of unlawfully reading e-mail on a
computer he controlled. The immediate reaction from many corners was
that this is a travesty of justice: Our privacy is forever lost! I'm not
so sure. It seems to me that the folks who are most upset about this
haven't read the court's opinion carefully, and those that have are
discounting the ability of state law and tort sanctions to keep people
in line. There are other mechanisms than just federal wiretapping law
that can enforce good behavior. Following are three interesting replies
on the topic shamelessly stolen from Dave Farber's list. --Declan]

---



http://www.politechbot.com/2004/07/06/isp-wiretapping/

From: "sbaker () steptoe com" <sbaker () steptoe com>
Date: July 2, 2004 9:55:17 AM EDT
To: "'dave () farber net'" <dave () farber net>
Cc: "Albertazzie, Sally" <SAlbertazzie () steptoe com>
Subject: RE: [IP] more on more on E-mail intercept ruling - good grief!!

Dave,

There's been a real overreaction to Councilman.  Meanwhile, we're
missing a
more important problem with the law of electronic communications.

Broadly speaking, federal law recognizes three levels of protection for
electronic communications -- real-time intercepts are treated as
wiretaps
and get the highest level of protection, stored communications get
intermediate protection, and traffic data (who you sent messages to,
how big
the files were, etc.).  The top tier of protection is ferocious,
requiring
extensive judicial oversight of the law enforcement intercept and
providing
criminal penalties for private taps.  The bottom tier is not protected
very
well at all (in fact, there are several categories at the bottom with
varying levels of protection that I'm skipping over).  In the middle are
stored communications, which are pretty well protected; they can't be
obtained without a search warrant, for example, and it's a crime to
access
them without authority.

When stored communications were first put on this intermediate step, the
category was intended to be quite small -- it covered only
communications
stored as an "incident to" the transmission.  The most obvious category
is
email stored in a Hotmail account before the recipient has read it.
But the
courts have found this narrow definition to be a weird and unsatisfying
reading of the words "stored communications," and they've begun to
stretch
the category into something that more closely resembles what most people
would consider "stored" communications.  The result has been both to
push
some communications off the top tier and into the middle tier and to
pull a
vast amount of material out of the bottom tier and up to the middle
tier.
Thus, in the Ninth Circuit's Theofel case, if you read an email in your
Hotmail account, then leave it stored in your mailbox, that read email
is
still treated as a stored communication, even though it really isn't
stored
"incident to transmission" any more.  In short, "already read" email now
can't be obtained except with a search warrant and they are protected
by the
criminal sanctions on unauthorized access.

The Councilman decision of course expands the category of stored
communication from the other direction, moving in-transit storage from
the
top tier to the middle tier.  Frankly, of the two, by far the more
important
decision is the Ninth Circuit case (called Theofel).  It vastly
increased
the quantity of heavily protected personal information compared to the
modest, cheese-paring change made by Councilman.  Somehow, though, I
don't
remember a big flap about how the Theofel case misunderstood the law or
improperly allowed changing technology to move information from a
largely
unprotected to a heavily protected category.

Understanding these distinctions should help address Peter Swire's
concern.
Even if VOIP intercepts could be conducted by digging content out of
intermediate in-transit storage, and even if the Councilman case makes
that
legal (there's a big distinction between how a vague criminal statute is
construed and how a vague intercept authority would be construed), law
enforcement would still be required to get a search warrant to perform
the
intercept.  Since, at its most aggressive, the 4th amendment only
requires
that law enforcement get a warrant for a search, it would be hard to
find a
constitutional objection to intercepts conducted with a warrant.

Maybe Congress should look again at both Theofel and Councilman to
decide
whether we want a technical, narrow approach to protecting stored
communications or a broad, more common-sense reading of that term, but
that
doesn't strike me as particularly urgent; indeed, from a policy point of
view, I think the courts may have got this about right -- in both
directions.

Internet civil libertarians would be wiser to focus on a more
substantial
problem distorting Net architecture -- the extraordinarily low
protection
given to traffic data on the bottom rung.  It's so easy to get traffic
data
today that law enforcement has begun distorting CALEA, which was meant
to
protect law enforcement's intercept capability, into a mechanism to
protect
law enforcement access to cheap, abundant traffic data.  In short, the
government is so in love with the data on the bottom rung that it's
forcing
hardware, software, and Internet service providers to recentralize the
Internet in order to generate and make that data more readily available.
Giving more protection to the bottom rung would probably increase
privacy
and diminish the Justice Department's enthusiasm for rewiring the Net.

Stewart Baker




From: Peter Swire <peter () peterswire net>
Date: July 1, 2004 2:52:11 PM EDT
To: dave () farber net
Subject: RE: [IP] more on E-mail intercept ruling - good grief!!
Reply-To: peter () peterswire net

Dave:

        On VOIP interception, there is a statutory and a constitutional
issue.

        The statutory issue is whether VOIP is a "wire" communication
(like a phone call) or an "electronic" communication (like an e-mail or
web communication).  The Councilman court said that "wire"
communications are considered "intercepted" even if they are in
temporary storage. The key holding of the case was that "electronic"
communications are not "intercepted" if the wiretap takes place while
the communication is in temporary storage.

        "Wire communication" is defined as "any aural transfer made in
whole or in part through the use of facilities for the transmission of
communications by the aid of wire, cable or other like connection
between the point of origin and the point of reception."  I do not know
whether a court has ruled on whether VOIP counts as a "wire
communication."  Quick research just now suggests we don't have a case
on that yet.  I can see arguments either way, based in part on whether a
packet-switched communication counts as "aural."

        Under Councilman, if VOIP is an "electronic communication", then
the provider therefore could intercept the VOIP calls for the provider's
own use without it counting as an "interception."  Providers already can
intercept communications with user consent or to protect the system, but
this would be blanket permission to intercept communications.

        The constitutional question is whether users have a "reasonable
expectation of privacy" in VOIP phone calls.  Since the 1960's, the
Supreme Court has found a 4th Amendment protection for voice phone
calls.  Meanwhile, it has found no constitutional protection for stored
records.  In an article coming out shortly from the Michigan Law Review,
I show why VOIP calls quite possibly will be found NOT to have
constitutional protection under the 4th Amendment.  It would then be up
to Congress to fix this, or else have the Supreme Court change its
doctrine to provide more protections against future wiretaps.  Article
at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=490623 .

        Peter

        
Prof. Peter P. Swire
Moritz College of Law, Ohio State University
John Glenn Scholar in Public Policy Research
(240) 994-4142, www.peterswire.net





> Date: Sun, 4 Jul 2004 13:27:09 -0400
> From: Marc Rotenberg <rotenberg () epic org>
> Subject: Re: Councilman -- OK to wiretap emails if you do it carefully
>
> This is a very interesting discussion. I agree with Dan Solove,
> Patricia Bellia and others that there are obviously larger concerns
> with ECPA than how Councilman was decided.
>
> It might be useful to explain some of the events that contributed to
> the 1986 amendments. The ECPA is an unusual privacy statute. It was
> not a response to a particular "privacy Chernobyl," to borrow
> Senator Wyden's phrase, such as the death of Rebecca Schaeffer which
> led to the Drivers Privacy Protection Act or the disclosure of Judge
> Bork's video rental records which produced the Video Privacy
> Protection Act. It was the result of the convergence of many factors
> and a fairly deliberative process.
>
> There was, first of all, the emergence of commercial email service
> providers, such as Compuserve and MCIMail in the early '80s. While
> Internet email existed for some time, the operators were typically
> universities and private federal contractors, such as BB&N. The rise
> of the email business with paying customers and terms of service
> required closer consideration of legal rules.
>
> Next, there was a letter from the Attorney General to Senator Leahy
> expressing the view that traditional "Title III" standards, a
> reference to the provision in the 1968 act which created the federal
> wiretap law, did not apply to this new form of communication. This
> created an opportunity for Congress and the Department of Justice to
> begin a discussion about updates to the federal wiretap law.
>
> There were some privacy problems that Congress wanted to fix, such
> as the recent decision in Smith v. Maryland, which had held that
> there was no Fourth Amendment protection for access to pen register
> information. There were also some law enforcement concerns that the
> Department of Justice hoped to address.
>
> And then there were other developments that shaped Congressional
> perceptions of both privacy concerns and new communications
> services.  1984 was a big year in the privacy world because of
> Orwell's novel. The House Judiciary Committee undertook an extensive
> series of hearings on "Civil Liberties and the National Security
> State." Conclusion: lots of new threats to privacy, but also an
> opportunity for Congress to update the law. Rep. Kastenmeier, who
> organized these hearings, would later became the House sponsor of
> the '86 amendments to the federal wiretap act.
>
> 1984 also was the year of Judge Green's decision and the MFJ that
> led to the break-up of AT&T, as well as passage of the Cable Act.
> There was a growing recognition that there would be more private
> sector communication services. Significantly, the deregulatory push
> for new communications services was not seen as a reason to avoid
> privacy legislation. That coupling did not emerge until the Internet
> boom of the late '90s. And, as Mark E. noted, the Cable Act of 1984
> incorporated the strongest privacy standards of any US privacy law.
>
> In broad strokes, ECPA sought to achieve two goals. First, to apply
> Title III protections to "electronic communications," not simply
> wire communications. Second, to establish legal standards for access
> to email in the possession of the service provider. While it is
> clear that there are different standards under the the Wiretap Act
> and the Stored Communication Act, the categories that resulted from
> the 1986 amendments were then viewed as complimentary efforts to
> protect the privacy of electronic communications. The "tiering" that
> some have noted resulted more from the effort to address specific
> problems -- extend coverage to electronic communication, create
> safeguards for stored  communications, establish statutory standards
> for access to pen register and trap and trace data -- than to
> formally order the privacy protection for each type of information.
>
> This is the significance of the dissent in Councilman. Judge Lipez
> captured the intent of the Act and the problems that will result
> from the majority's decision. It is hard to imagine that the
> Congress that passed the 1986 amendments believed that an ISP would
> afterward be able to routinely review the contents of subscriber
> email.
>
> Orin may be right that the simple solution at this point is to
> amend the definition of intercept. Still, one wonders what Congress
> could have done differently in 1986 to produce a different result
> in Councilman.
>
> An interesting contrast with the US efforts to establish privacy
> protection for electronic communications can be found in the EU
> Directive on Privacy and Electronic Communication. The Europeans
> have tried to address some of the post-1986 electronic privacy
> issues, including Caller ID, transactional data, and locational
> information. But they have also encountered new challenges such as
> whether to require the retention of customer data. Data protection
> laws generally discourage the collection of transactional data, but
> law enforcement concerns joined with post 9-11 datamining efforts
> have put pressure on ISPs and telcos to keep customer data, and the
> legislative resolution has largely been left to the member states.
>
> Marc Rotenberg.





_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)