Any discussion about PRISM centers around the concept of privacy on the Internet. For my third post on the history of U.S. Internet Legislation, I’ll focus in on the laws that govern our privacy online.
When attempting to ascertain the state of online privacy, there tends to be a lot of talk about law enforcement “abuses.” Having a basic understanding of the laws that serve as the basis for most law enforcement and Intelligence community programs that target online activity can help us determine how, and whether, things need to change.
Let’s start our brief look at those laws by imagining that I’m a U.S. Federal officer and you are an American citizen, and my goal is to go through your underwear drawer to look for suspicious activity. To do that I need a search warrant, signed off by a judge, and generally to get that I need probable cause. The Fourth Amendment to the United States constitution, which prevents unreasonable search and seizure, requires that. The Electronic Communications Privacy Act was written to codify that these fourth amendment rights also exist online. However, certain laws carve out exceptions to the warrant requirement under specific conditions.
Discussion of our privacy rights online center around what the government has and doesn’t have the right to do with our online data. In the wake of PRISM I want to define two categories through which we can explore those legal rights:
- Surveillance that is made possible by the acquisition of a search warrant by law enforcement
- Surveillance that is made possible through an exception to the warrant requirement
Below are a few common legislative acts (not an exhaustive list) that empower law enforcement to get data they seek online.
Surveillance under Warrant Requirement
Communications Assistance for Law Enforcement Act (CALEA)
CALEA is a law passed in 1994. It requires telecommunications carriers and equipment manufacturers to build their systems to help facilitate wiretapping if a warrant is issued for one. The actual wording is as follows:
To amend title 18, United States Code, to make clear a telecommunications carrier’s duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.
Over time CALEA began to be used to not only wiretap voice communications but Internet traffic and has become one of the major laws used for surveillance by the Federal government. Surveillance using CALEA follows due process. A judge needs to be convinced of the reason for the surveillance, and its scope is limited and restricted by design. On the face of it, CALEA does not violate the warrant requirement.
The Foreign Intelligence Surveillance Act (FISA)
FISA is the Foreign Intelligence Surveillance Act of 1978. It outlines how the US can gather intelligence about foreign powers and their agents. A special court was created to deal with foreign intelligence, the Foreign Intelligence Surveillance Court (FISC). The goal of FISC was to provide judicial oversight of the activities of the Intelligence community in a classified setting.
The work of FISC is largely kept secret, and most organizations who interact with FISC are barred from discussing it. Prior to the FISA Amendments Act of 2008 (FAA), FISC approved all FISA requests in a manner that did not violate the warrant requirement. Though this information is not public, FISC still ostensibly provides oversight over much of the work of the Intelligence community that does not violate the warrant requirement.
Exceptions to the Warrant Requirement
The Stored Communications Act, title II of the Electronic Communications Privacy Act (SCA)
The SCA was designed to defend the warrant requirement online against the ‘Third Party Doctrine’ which is a legal principle that states that if you give your data to a third party (such as a hosting provider or a bank) you cannot reasonably expect privacy. However, rather than being absolute, the SCA carves out exceptions to the warrant requirement in certain circumstances. One example of things that don’t require a warrant includes emails that sit on a server unopened for more than 180 days. If email meets those conditions, then a subpoena will do instead of a search warrant. It’s a strange and unfortunate exception to the warrant requirement.
Title II of The USA PATRIOT Act of 2001 (Patriot Act)
Title II of the The Patriot Act focuses on enhanced surveillance. There are a number of controversial provisions of the Patriot Act, which broadened and amended both ECPA and FISA to give the government more access to data with and without a warrant. One particularly notable provision often seen as a major exception to the warrant requirement is Section 212, which allows communications providers to proactively divulge confidential information in the event that they believe the information threatens to “life and limb”. This is considered an “exigent circumstance” under the law. It is similar to the idea of probable cause, though the bar is set higher.
If a cop pulls you over for speeding and has “probable cause” to suspect you are on drugs, an exigent circumstances clause may allow him to search your car for drugs even without a warrant. The Patriot Act basically allows Internet providers to divulge confidential information without a warrant upon request using the same concept. But by using the terms “life and limb” they were actually trying to set a higher bar than just the expectation of illegal activity.
Section 212 does not impose an affirmative obligation to providers to monitor content for illegal activity, but it does indemnify providers who share private data under certain circumstances. In order for providers to be indemnified, those providers need to believe that not only is it likely that illegal activity will occur, but it needs to be likely that people could be injured or killed. Of course, the government is asking companies to make that call, not a cop, which is the basis for many people’s concerns about this provision of the Patriot Act.
The Patriot Act also introduced the ability of law enforcement to issue a National Security Letter to access basic subscriber information or basic transactional data rather than seeking a warrant. National Security Letters also come with a gag order.
Without a doubt, the Patriot Act built in exceptions to the warrant requirement for Internet data. And when exceptions like Section 212 exist, people assume they are being used rampantly – though specific data on how prevalent their use is doesn’t exist.
The FISA Amendments Act of 2008 (FAA)
Section 215 of Title II of the USA Patriot Act changed FISA by allowing domestic persons to be monitored by surveillance programs as long as the focus remained on foreign surveillance. Theoretically if a surveillance program tries to meet a target of at least 51% of individuals not being US citizens, it can be a legal program post-2001. The FISA Amendments Act of 2008 updated FISA to limit the need of the FISC to oversee such programs. Section 702 of the FAA allows the Attorney General and the Director of National Intelligence to jointly authorize data collection programs.
Between the Patriot Act opening up the ability to sweep US citizens into FISA surveillance programs and the FAA allowing that to be done without direct judicial oversight, you can see how the US government could get to establishing a program like PRISM.
Join me next time for our final installment in A Short History of Internet Legislation, where I cover the other side of policing online activity: user protections and prosecutions under the Computer Fraud and Abuse Act.
Photo by gwen roolf.