February 2015 Archives

February 24, 2015

How Would You Know if the Feds Searched Your E-mail? -- ECPA's Missing Notice Requirement

Alan Butler imageEPIC recently filed comments on proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, which would authorize judges to issue "remote access" search warrants in certain cases. As EPIC outlined, the surreptitious computer searches conducted under these remote access warrants would run afoul of an important Fourth Amendment protection -- the requirement of prior notice. But the issue of delayed or non-existent notice is not only present with remote access searches; it is an issue with all electronic search authorities and especially with searches conducted under the Stored Communications Act, 18 U.S.C. § 2703.

The U.S. Government issues tens of thousands of e-mail search warrants each year, and yet users are rarely given notice when their accounts have been searched. Some providers have been ordered not to notify their subscribers, but the Electronic Communications Privacy Act gag order provisions are quite narrow. The recent release of warrants issued to Google for e-mails of Wikileaks staff members and the battle over the Lavabit warrant raise significant questions about the legality of the Government's gag order process. Under ECPA, users should be notified when a search warrant is issued to obtain the contents of their e-mail accounts and in many cases the government should not be able to prohibit a service provider from notifying their customers.

More recently, Google sent a letter to several Wikileaks staffers, notifying them that their accounts were subject to search warrants and related surveillance orders in the U.S. District Court for the Eastern District of Virginia. According to reports, Google fought the gag orders in these investigations for several years until the warrants were successfully unsealed in May 2014. However, the documents released by Google do not explain the basis for the gag order or the specific authority under which these warrants were granted

In another recent case in the Eastern District of Virginia, the court unsealed warrants and related orders issued to Lavabit after the FBI demanded that the e-mail provider turn over their crypto keys (a Lavabit e-mail account was famously used by Edward Snowden to contact members of the media). The search warrant in that case was issued along with an order under 18 U.S.C. § 2705(b) not to notify any person "of the existence of the attached search warrant." But the Electronic Communications Privacy Act does not clearly authorize gag orders (or even require notice) for e-mail search warrants.

Background -- Notice of Searches Under the Stored Communications Act

The Stored Communications Act (SCA), part of the Electronic Communications Privacy Act of 1986, prohibits access to stored electronic communications and provides law enforcement agents with the authority to compel disclosure of stored communications in certain limited circumstances. Specifically, under 18 U.S.C. § 2703 a "government entity" may require a provider to disclose the contents of a "wire or electronic communication" that is "in electronic storage" under the following circumstances: (1) for a communication that has been in electronic storage for less than 180 days, pursuant to a warrant issued under the Federal Rules of Criminal Procedure (Rule 41) or similar state rules, or (2) for a communication that has been in electronic storage for more than 180 days either (a) pursuant to a warrant without required notice, or (b) pursuant to an administrative subpoena or court order with prior notice to the subscriber. 18 U.S.C. §§ 2703(a)-(b).

The SCA also specifies that a government entity "acting under section 2703(b)" may request an order delaying the notification required under 2703(b) "for a period not to exceed ninety days" if there is "reason to believe that notification" would lead to an "adverse result" as defined in 2705(a)(2). Under section 2705(b), the government can enforce these notice limitations by seeking an order "commanding a provider" for "such period as the court deems appropriate, not to notify any other person" of the existence of the warrant. 18 U.S.C. § 2705(b). However, this gag order only applies to disclosures under 2703(b) -- governing warrants, orders, and subpoenas for communications stored for more than 180 days. So what happens when the government obtains a warrant for "fresh" e-mails that have been stored for less than 180 days?

What Notice is Required? -- In re United States

In July of 2008, the United States applied for two search warrants under section 2703(a) for Google subscriber e-mails. See In re U.S., 685 F. Supp. 2d 1210, 1214 (D. Or. 2009). The Government initially requested that notice to the subscribers be delayed under section 2703(b), but later changed its position and argued that no notice was required under 2703(a) and Rule 41 of the Federal Rules of Criminal Procedure. The magistrate judge found that Rule 41 required the government to provide notice to the subscriber upon execution of the warrant (that is the typical rule for search warrants).

But the Government appealed the magistrate judge's decision to the U.S. District Court for the District of Oregon. In a rare published opinion on search warrant procedures, the court found that the plain language of the SCA was ambiguous as to whether Rule 41 "notice" to the subscriber was required under section 2703(a). The court found that both Rule 41 and Fourth Amendment notice requirements would be satisfied by leaving a copy of the warrant with the service provider. But the court failed to consider whether a valid gag order could be issued to prevent the service provider from notifying its subscriber of the warrant.

In many cases where the Government applies for an e-mail search warrant, as it did in the Lavabit and Wikileaks cases, it will also apply for a gag order under 18 U.S.C. § 2705(b). But the statute makes clear that the gag order provision only applies when (1) the government is "not required to notify the subscriber or customer under section 2703(b)(1)" or (2) where "it may delay such notice pursuant to [section 2705(a)]." What happens when the Government obtains a search warrant for more "recent" e-mails under section 2703(a)? According to the statute, the gag order would not apply and the provider would therefore not be prohibited from notifying their subscriber of the warrant. Yet that did not happen in the Wikileaks or Lavabit cases, so what is going on here?

Where Are All the E-mail Search Warrant Notifications?

My theory is that magistrate judges do not adequately differentiate between search warrants issued for "newer" and "older" e-mails as defined in the SCA (the "180-day rule"). I assume that most e-mail warrants, like those issued in the Lavabit and Wikileaks cases, are blanket requests for "all communications" that do not differentiate between messages stored for more than 180 days and those stored for 180 days or less. We can see from the history of In re U.S. that the Government itself is not always respectful of the distinction either. The problem is that the SCA warrant procedures have not been subject to extensive judicial review. There are fewer than 450 decisions in federal and state courts over the last 30 years that cite 18 U.S.C. 2703. And the only way this issue would come up is if a provider either (1) challenges an unlawful gag order, or (2) challenges a contempt order based on the violation of an unlawful gag order.

Another related problem is the growth in the "shadow docket" handled by federal magistrate judges. As Magistrate Judge Stephen Wm. Smith described in his article, Gagged, Sealed & Delivered: Reforming ECPA's Secret Docket, there is an utter lack of transparency in the judicial process surrounding SCA orders. A 2009 Report by the Federal Judicial Center found that an astonishing number of cases are filed under seal and many of them remain hidden indefinitely. The Report revealed that as of 2008 more than 18,000 warrant-type applications filed in 2006 were still under seal. There were only 66,458 criminal cases filed in 2006.

So how many search warrants are being issued for stored e-mail? According to Google's transparency report, there were 3,187 search warrants issued by the U.S. in the first six months of 2014 alone. According to the Yahoo! transparency report, content was disclosed in response to 1,396 U.S. government data requests in the first six months of 2014. Microsoft reports that they disclosed content in response to roughly 690 U.S. requests in the first six months of 2014. So tens of thousands of e-mail accounts are subject to U.S. search warrants each year, yet we rarely hear about users being notified. The question is, are courts issuing unlawful gag orders or are providers failing to notify their customers after these warrants are served?

February 12, 2015

DoD Claim that NSA in Compliance with Privacy Act Ring Hollow

Jeramie Scott image In August of 2013, the Department of Defense ("DoD") released a notice of proposed rulemaking ("NPRM"). The proposed rule "update[d] the established policies, guidance, and assigned responsibilities of the DoD Privacy Program pursuant to The Privacy Act . . . ." When an agency publishes a proposed rule, it has to take public comments on the rule and then consider those comments prior to releasing the final rule. EPIC, joined by a coalition of public interest organizations, filed comments for DoD's consideration.

At the time that the DoD's proposed rule was released, the Snowden revelations were just a few months old. Those revelations provided unparalleled insight into NSA's mass surveillance activity. The NSA is a DoD component subject to the proposed rule and, of course, to the Privacy Act of 1974. Through the review of the documents and news stories associated with the revelations, EPIC's coalition comments identified three NSA databases subject to the Privacy Act. And per the Privacy Act, these databases (known as "systems of records" in the Privacy Act) require a Systems of Record Notice (SORN) to the public. EPIC's coalition comments argued that there was no SORN for, at minimal, the following three databases:

  1. The US identifier database (see bottom of page 3) of "telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons;"
  2. The database of contact lists the NSA retrieves from email address books and instant message "buddy lists;" and
  3. The NSA database containing information relating to social networks.

SORNs require an agency to publish a number of pieces of information related to the databases it maintains. This includes individuals covered by the database, the categories of records in the database, and the purpose of the database. Unfortunately, government agencies tend to use very broad language to describe these aspects of a database.

Just last month, the DoD published its final rule. The DoD's final rule responded to EPIC's coalition comments by claiming that the three databases described in our comments were already covered by an existing SORN, GNSA 18. Importantly, the DoD did not challenge the assertion that these NSA databases were systems of records subject to the Privacy Act.

As mentioned above, many parts of SORNs are often described in very broad terms thus allowing the DoD to claim everything under the sun is covered. There is one section though that requires a more specific description--the section on retrievability. Under this section, the agency must describe how information is retrieved from the database. GNSA 18 states, "Information is retrieved by individual's name, Social Security Number (SSN), and/or employee identification number." At minimal, this description fails to describe how information is retrieved from NSA's US identifier database.

Per a document signed off on by Attorney General Holder, titled, Procedures Used by NSA for Targeting Non-US Persons Reasonably Believed to Be Outside the US to Acquire Foreign Intelligence Pursuant to 702 FISC July 29, 2009, the "NSA maintains records of telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons." Furthermore, "Prior to targeting, a particular telephone number or electronic communications account/address/identifier will be compared against those records in order to ascertain whether NSA has reason to believe that the telephone number or electronic communications account/address/identifier is being used by a United States person."

In contrast to what is stated in GNSA 18, the NSA compares telephone numbers and other identifiers (e.g. email) against the agency's database of U.S. person identifiers. This retrieval of information from the database via various identifiers is not covered by GNSA 18. Additionally, it is not covered by any other NSA SORN. This is a violation of the Privacy Act and DoD's privacy rules.

About this Archive

This page is an archive of entries from February 2015 listed from newest to oldest.

January 2015 is the previous archive.

September 2015 is the next archive.

Find recent content on the main index or look in the archives to find all content.