The following post by Mark M. Jaycox was originally published on Electronic Frontier Foundation’s  blog Deeplinks, on May 9, 2013.

Proposals to update the email privacy law, the Electronic Communications Privacy Act (ECPA), are moving quickly in Congress. ECPA is in dire need of an update as it was written in the mid-1980s long before the advent of ubiquitous webmail and cloud storage. In the past, ECPA was used by the Department of Justice (DOJ) to obtain emails and other private online messages older than 180 days without a probable cause warrant. If law enforcement sought those same messages in the physical world, a warrant would be required. This difference is not only wrong, but also inconsistent with the Fourth Amendment. Senators Patrick Leahy and Mike Lee plan to fix this.

Last month, S. 607, a bill sponsored by Senators Leahy and Lee, passed out of the Senate Judiciary Committee. The bill requires that law enforcement obtain a warrant if it wants any private online messages, like private Facebook messages or Twitter direct messages. TheDigital Due Process coalition, a diverse coalition of privacy advocates (including EFF) and major companies, has worked hard to advance ECPA reform and should be commended for its work. But because many agencies and companies already require a warrant for all private online messages, more could be done to bolster the law.

In United States v. Warshak (2010), the Sixth circuit ruled that the 180-day rule, as written, was unconstitutional. At a hearing last month, the DOJ Office of Legal Policy finally admitted that emails older than 180 days should logically be protected by a warrant. That statement suggests that that the DOJ will be seeking warrants for all private online messages going forward.The bill should go beyond the status quo. Missing in the bill is a suppression remedy. In the current draft, if law enforcement obtained your email without a warrant, in violation of the revised law, nothing would prevent that illegally obtained evidence from being admitted in a criminal trial. A suppression remedy is a common sense addition to the bill ensuring that its impact is equal to its intent: ensuring all private virtual messages—just like any other private physical message—are available to the government only with a warrant based on probable cause.

But even before DOJ’s admission, many companies already required a warrant before they allow law enforcement access to a user’s private messages. In The Hill, Google, Microsoft, and Yahoo—the three largest webmail providers—said they require the government obtain a search warrant before accessing private content. In addition, Facebook and Twitter also require a warrant for private messages. Our Who Has Your Back campaign lists even more companies.

Senators Leahy and Lee provided a good start for ECPA reform. Likewise, the DDP coalition has done tremendous work to move the bill forward. But ECPA reform must do more than codify the status quo. At the minimum, any bill passed by Congress should have a suppression remedy.

5/10, Kevin Collier, Salon, Congress wants to let you unlock your cellphone

5/10, A.M. Gittlitz, TruthOut, Double Jeopardy: New York Activist Subpoenaed for Secret Grand Jury – Again

5/10, Max Fisher, Washington Post, Photos from Guantanamo’s force-feeding facilities

5/10, Natasha Lennard, Salon, Hidden in immigration reform, vast biometrics plan

5/10, Jonathan Weisman, New York Times, I.R.S. Apologizes to Conservative Groups Over Application Audits

5/9, Mark M. Jaycox, Electronic Frontier Foundation, Update to Email Privacy Law Must Go Further

Current News

5/7, Adrian Chen, Gawker, Newly Declassified Memo Shows CIA Shaped Zero Dark Thirty’s Narrative

5/7, Paul Rosenzweig, Lawfare, CISPA – An Assessment

5/7, Greg Miller, Washington Post, CIA selects new head of clandestine service, passing over officer tied to interrogation program

5/6, Eyder Peralta, NPR, Prisoner Points To Quran Search For Gitmo Hunger Strike

5/6, CBS Staff, CBS (LA), Civil Rights Groups Sue LAPD, LA County Sheriff’s Department Over Automatic License Plate Readers

An updated version of the Electronic Communications Privacy Act (ECPA) of 1986 has been approved by the Senate Judiciary Committee. The ECPA governs  privacy regulations for nearly everything on the internet, and has not been updated in 27 years, despite significantly evolved technology. Other reforms for the ECPA were passed by the committee November 2012, but not voted on by the whole Senate before the end of their session.

The current ECPA requires a warrant for emails less than six months old. Other information stored online or older emails can be accessed by government officials with only a subpoena. The current version of the law has led to many confused and contradictory legal rulings on what counts as “electronic storage,” a term defined before cloud computing. The updated version passed by the Judiciary Committee, would require officials to get a search warrant from a judge before searching for any online data.

The Bill of Rights Defense Committee, as part of the Digital Due Process Coalition, joined over eighty other organizations and companies to send a letter to the Chairman of the Senate committee, Patrick Leahy, endorsing the amendments to the law. The letter states that the updates, “would provide clarity and certainty to law enforcement agencies at all levels and to American businesses developing innovative new services and competing in a global marketplace.” Other cosigners included Microsoft, Facebook, Mozilla, Twitter, Google, and Yahoo.

The BORDC’s Shahid Buttar said that:

Laws protecting our privacy online have been obsolete for decades, leaving all Americans at risk of arbitrary electronic seizures. The proposed reforms to ECPA are not enough by a long shot, but  it is long past time for Congress to fix the digital exception to the 4^th amendment.

These updates to ECPA must be passed in the Senate and the House before they are approved, but according to Politico, Congress is not expected to oppose the bipartisan amendments. It is important to remember that just a week ago the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The Senate has not seemed eager to approve CISPA and is making small steps towards protecting our online information by updating ECPA, but more regulation is needed to bring constitutional protection into the digital age.

On Thursday, April 18, despite unresolved  and integral privacy issues, the House of Representatives voted against privacy and approved the Cyber Intelligence Sharing and Protection Act (CISPA). The legislation passed with 288 votes in favor and 127 against. While the majority of yes votes were Republican, nearly half of the Democrats in the House voted yes.

The vote comes on the heels of the CISPA Week of Action, in which corporations and Americans made their opposition to the bill clear. Companies such as Craigslist and Firefox took part and thousands of people contacted their representatives in Congress to express their concern around CISPA. Earlier this week, the White House also issued a veto threat, stating:

[T]he administration still seeks additional improvements and if the bill, as currently crafted, were presented to the president, his senior advisers would recommend that he veto the bill.

CISPA passed out of the House Intelligence Committee last week by a vote of 18-2. The bill was marked up in a closed session on Thursday, April 10, despite urgings from the privacy and civil liberties community to the contrary. BORDC, along with 40 other organizations, signed a letter urging an open and transparent markup. The closed markup begs the question: if the bill presents no privacy concerns, why not move it forward in a transparent and open way?

Unsurprisingly, the markup did not yield a significantly improved version of the bill. The committee voted down four amendments that would have significantly increased privacy protections. On the floor, the House voted down further privacy amendments, including one amendment that:

would have ensured companies’ privacy promises — including their terms of use and privacy policies — remained valid and legally enforceable in the future. Another would have curbed police ability to conduct warrantless searches of CISPA-shared data.

The sponsors of the bill, Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), have maintained that there is no reason for concern, making inaccurate and misleading claims about the bill. They have argued that the bill does not contain overbroad provisions or definitions, brushing over the legal protections from liability for negligent actions by corporations that the bill creates. This is hardly surprising, consider the corporate interests behind the bill, and the dollars they have spent on lobbying. In fact, CISPA supporters spent 140 times as much lobbying as CISPA opponents. Similarly, CISPA supporters have donated 13 times more money in campaign contributions as CISPA.

However, it appears that the Senate has not been convinced. The bill still has to be approved in the Senate, and it appears that they are not eager to move.  Senate reticence and the White House veto threat are good news, but anyone concerned about online privacy should continue to check out Electronic Frontier Foundation’s CISPA action page.

April 2013, Vol. 12 No. 04

View this newsletter as a webpage: http://www.bordc.org/newsletter/2013/04

In this issue:

BORDC releases model legislation to address domestic surveillance drones

BORDC News

• BORDC holds convening for grassroots organizers in Boston, MA
• BORDC’s Shahid Buttar speaks in Boston, MA; Baltimore, MD; and Washington, DC
• BORDC legal fellow Nadia Kayyali speaks to community members and sheriff in San Juan County
• BORDC legal fellow speaks in Redmond, WA
• BORDC hosts celebration reception in San Francisco on May 5
• BORDC hosts reception in Washington, DC on May 19
• BORDC welcomes spring 2013 interns
• Summer 2013 internships available with BORDC
• BORDC announces 2013-2014 legal fellowships
• BORDC in the news
• Read the latest news & analysis from the People’s Blog for the Constitution

Highlights from the past month include:

• Is there hope for the rule of law? by Nadia Kayyali
• ICE under fire: public hearing held for Connecticut’s TRUST Act by Alok Bhatt
• Report reveals impact of NYPD’s surveillance of Muslims by Michael Figura
• Kimani Gray and state-sanctioned terrorism by Kyla Kuvach
• Surveillance a profitable business in NYC by Rebecca Palermo
• Montana Senate passes anti-NDAA bill 43-7, heads to Governor with vet-proof majority by Nick Sibilla
• CIA and NSA data collection programs by Yiqian Wang
• Son’s battle for records from 1960′s sheds light on today’s secrecy state by Dave Mitchell

Grassroots News

• April 2013 Patriot Award: Joe Scarry
• ICE raid detains 27 on day of immigration march in Connecticut
• Las Vegas, NV, rejects indefinite detention under NDAA
• Grassroots Updates
  • New York, NY: Community calls for broad profiling ban, protections against unlawful searches, and more
  • Charlotte, NC: Area residents call on City Council for increased transparency, examination into Review Board’s power
  • Asheville, NC: April 29 meeting will reflect on progress of grassroots organizing in Asheville
  • Chicago, IL: Community events shine light on civil liberties actions across the city
  • Los Angeles, CA: StopLAPD Spying coalition released “People’s Audit of the Los Angeles Police”
  • California: Assembly Public Safety Committee approves TRUST Act

Law and Policy

• #NYPDonTrial continues
• Hunger Strike at Guantánamo Continues, National Day to promote awareness
• Multiple state assemblies consider bills to stop indefinite detention
• House approves Cyber Intelligence Sharing and Protection Act (CISPA)
• Week of action urges CFAA reform

New Resources and Opportunities

• Micro-grants offer opportunities for grassroots action
• BORDC to host grassroots convening in San Francisco this May

The Cyber Intelligence Sharing and Protection Act (CISPA) is continuing to move through Congress despite major, unresolved privacy issues.

Several weeks ago, privacy advocates, consumers associations, and technology companies all worked together during the Cyber Intelligence Sharing and Protection Act (CISPA) Week of Action to address the major privacy flaws in CISPA, H.B. 624. The week of action was a major success, with companies such as Craigslist and Firefox taking part and thousands of people contacting their representatives in Congress to express their concern around CISPA. However, the fight over CISPA is just beginning. Last week, CISPA passed out of the House Intelligence Committee by a vote of 18-2.

The sponsors of the bill, Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), have maintained that there is no reason for concern, making inaccurate and misleading claims about the bill. They have argued that the bill does not contain overbroad provisions or definitions. Yet as EFF’s Mark Jaycox correctly notes:

The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in ‘good faith’ immunity for ‘any decisions made’ based off of the information it learns from the government or other companies. . . Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.

(more…)

In response to the overly aggressive prosecution of internet reformer and activist Aaron Swartz , the Electronic Frontier Foundation (EFF) has launched a joint campaign with several other organizations to urge for much needed reforms to the Computer Fraud and Abuse Act (CFAA). Passed in 1984, CFAA was initially construed to reduce security cracking of computer systems, though it has attracted accusations of overbreadth and legislative overreach since its inception.

Having expanded greatly outside of its original scope, the CFAA demonstrates the constant tension between governmental regulation and free speech, and has also been criticized as an unnecessary barrier to technological innovation.  In an instance where the law has not yet caught up to technological innovation, the outmoded terms of CFAA fails to accurately reflect the circumstances of the 21^st century, and “would allow frivolous prosecutions and stiffer penalties.”

Demonstrating the absurdity of certain provisions within the CFAA, prominent academic of computer crime law and professor at George Washington University Law School, Orin Kerr states:

The law now criminalizes computer use that “exceeds authorized access” to any computer. The problem is that a lot of routine computer use can exceed “authorized access.” But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like. Imagine the Republican Party setting up a public website and announcing that no Democrats can visit. Every Democrat who checked out the site could be a criminal for exceeding authorized access.

In an attempt to address such issues, EFF is championing three changes to the CFAA, including:

• No more criminal penalties for violating a website’s fine print or an employee manual
• No criminal penalties for circumvention techniques that protect privacy and promote security
• Make penalties proportionate to offenses and stop punishing virtual crimes more harshly than physical world crimes

Following the massive discontent over the Stop Online Piracy Act (SOPA), such protests are similarly necessary in regards to the CFAA. Help EFF protect our civil liberties by tweeting members of the House Judiciary, emailing your representative in support of Aaron’s law, calling your representative, or changing your Twitter and Facebook profiles in memory of Aaron Swartz.

Speaking at a recent data conference in New York, chief technology officer Ira Hunt of the Central Intelligence Agency (CIA) commented on the increasing quantities of available information – including emails, videos, and tweets – in the current digital age. Regarding the prevalence and applications of such digital information, Hunt states that:

The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time. Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever.

With the enhanced abilities of computers to compute massive quantities of information, Hunt’s statements depict the CIA’s aspirations in accumulating and mapping large sets of data, a sentiment reflected in the agency’s recent contracts with industry giants such as Amazon.com. In this instance, this contract specifically focuses on cloud computing software, in that Amazon will aid the CIA in constructing a private cloud system, potentially for hosting sensitive and classified information that would otherwise be susceptible to security concerns in the public technological domain.

The CIA’s efforts are reminiscent of certain programs undertaken by the National Security Agency (NSA), which has conducted such investigations despite public worries over privacy and related Fourth Amendment concerns.  One such critic of the NSA is whistle-blower William Binney, whose was recently interviewed by filmmaker Laura Poitras for her documentary short regarding post-September 11th America. Having publicly admonished the NSA, Binney (who resigned from the agency in 2001) described a foreign intelligence program conducted by the NSA that focused upon classified domestic spying, which he believes to have been initiated shortly after September 11th. As reported by the New Yorker:

“Binney and a team of some twenty others believed that they had pinpointed the N.S.A.’s biggest problem—data overload. ThinThread, the “little program” that he invented to track enemies outside the U.S., “got twisted,” and was used for both foreign and domestic spying: “I should apologize to the American people. It’s violated everyone’s rights. It can be used to eavesdrop on the whole world.”

Such data programs espouse distinct similarities with a former Department of Defense (DOD) project known as the “total information awareness” program, which was “based on a vision of pulling together as much information as possible about as many people as possible into an ‘ultra-large-scale’ database.” However, in 2003, Congress de-funded the Defense Advanced Research Projects Area’s (DARPA) total information awareness program, which the American Civil Liberties Union (ACLU) had often likened to the “Big Brother” project of the current era. In essence, the aforesaid CIA and NSA programs represent instances in which the executive has significantly expanded its power though its replication of policies that Congress has expressly rejected.