Little peepers everywhere
America’s laws governing digital and mobile surveillance are an unholy mess
As telephones became more common, the Olmstead standard grew more untenable. It ended in 1967, when the court decided that fourth amendment protections extend anywhere a person has “a reasonable expectation of privacy”. If police wanted to wiretap a phone, they now needed a warrant, just as they would if they wanted to search a person’s home.
But the warrant requirement applies only to the actual conversation, not to the numbers dialled from a phone. Tracking these numbers requires a “pen/trap” tap (pen registers track the numbers called out from a phone, trap-and-trace devices record the numbers calling in). In 2001 the Patriot Act allowed pen/traps to be served on internet-service providers (ISPs) as well, where they reveal e-mail senders and recipients, the size of each e-mail sent and received, the IP address with which a computer communicates and the sites visited while browsing the web. The standards for getting a pen/trap approved are far lower than for getting a wiretap. The Electronic Communications Privacy Act (ECPA), which was passed in 1986 and remains the main law governing access to electronic communication, requires police only to certify to a court that the information is relevant to an investigation. For a wiretap, police must show both probable cause and that “normal investigative procedures have been tried and failed.”
Wiretaps, which have increased almost tenfold since data was first reported in 1969, are only the tip of the surveillance iceberg. In 2011 federal and state courts approved a total of 2,732 wiretaps; but government agencies made over 1.3m requests for data to mobile-phone companies. That figure includes wiretaps and pen/traps, but it also includes requests for stored text messages, device locations and tower dumps, which reveal the presence of everyone—suspects and not—within range of a particular mobile-phone tower at a particular time. Most of these requests require no warrants at all. Sometimes all it takes is a subpoena from a prosecutor.
Internet companies have also seen a sharp rise in requests from law-enforcement agencies for information about their users. Between July and December 2010 Google received 4,601 requests; in the same period last year that number jumped to 6,321. Among the things that Google is typically asked for are account information and location data. Twitter, a microblogging service, received 679 requests from American authorities for information about users in the first half of this year, which is more than it got in all of 2011. The firm says it complied with three-quarters of these requests, though it does not say whether it handed over all or simply a fraction of the information requested in each case. Google, which says it complied with 93% of the requests from American officials in its most recent reporting period, is similarly vague about what it coughs up.
Web firms say that police tend to grab as much information as they can rather than targeting specific items relevant to a case, so they have to vet requests carefully. Twitter is also pushing back in court. Earlier this month a judge in New York ordered Twitter to hand over almost three months’ worth of messages from a protester involved in the Occupy Wall Street movement accused of disorderly conduct. Twitter opposed the request, arguing that its users have a reasonable expectation of privacy (perhaps oddly, given that anyone can follow a twitterer). The judge disagreed; on July 18th, Twitter appealed.
The previous day, the American Civil Liberties Union (ACLU) appeared in federal court to force the Department of Justice (DoJ) to make public how often it uses pen/traps. That would be a welcome development. The eight mobile-phone companies that were asked collectively for data 1.3m times last year revealed that information by choice, in response to a letter from a congressman who was prompted to inquire by an article in the New York Times. The Pen Register Statute, passed as part of the ECPA, requires the DoJ to report its use of pen/traps to Congress. But it has published no reports since 2009.
The ECPA could also do with a thorough scouring. When it became law there were only 340,000 mobile-phone subscribers in America, and the internet was the province of hobbyists and academics. Distinctions that made sense then no longer do. E-mail is subject to differing sets of protections when it is being typed, sent and stored. A bank statement printed out and kept in a drawer, saved on a personal computer or stored in a private e-mail account is also subject to varying standards.
Metadata (the records of who people call and e-mail, and when, as distinct from the content of conversations) can now be amassed on a vast scale, and run through powerful software that can use it to create a fairly complete portrait of a person’s life and habits—often far more complete than just a few recorded conversations. It deserves more protection than it now receives. And citizens, especially those suspected of no crime whose data is gathered up in a dragnet, deserve more clarity on what law enforcement does with their data and how long they keep it. Even with the best of intentions, the ECPA is almost impossible to apply consistently or fairly. Such murkiness serves no one well.
Beyond such changes lies America’s vast national-security apparatus. Among the many expansions of government snooping power contained in the Patriot Act after the attacks of September 11th, 2001, it became far easier for the FBI to issue national-security letters, which compel service providers to turn over vast amounts of data about the recipients of such letters without a court order. The FISA (Foreign Intelligence Surveillance Act) Amendments Act allows intelligence agencies to eavesdrop on communications between Americans and people overseas without a probable-cause warrant. FISA investigations require an order from the FISA Court—which meets in secret, and in the 32 years from 1979 to 2011 rejected a grand total of 11 applications. They are subject to no other review.