In debates on Internet surveillance law, I often end up arguing that reports of privacy's death have been greatly exagerrated. For example, I wrote a law review article in 2002 describing the effect of the USA Patriot Act on Internet surveillance law as The Big Brother That Isn't. Two weeks ago, however, the First Circuit decided a case called United States v. Councilman that poses a very real threat to Internet privacy. There has been some press on the case already, but some writers and commentators have also suggested that the decision really isn't a big deal. Declan's take is representative of the no-big-deal school:
the folks who are most upset about this haven't read the court's opinion carefully, and those that have are discounting the ability of state law and tort sanctions to keep people in line. There are other mechanisms than just federal wiretapping law that can enforce good behavior.
I disagree with Declan, and thought it might be worth explaining why the Councilman decision is so dangerous.
First, a bit of background. Federal law protect e-mail privacy through two primary laws: the Wiretap Act, codified at 18 U.S.C. 2510-22, and the Stored Communications Act, 18 U.S.C. 2701-11. The Wiretap Act offers very strong protection against the real-time interception of telephone or Internet communications. If any one tries to step in and snoop on the contents of another person's communications, they commit a federal felony offense unless one of several fairly narrow exceptions applies. If the government tries to do this, they need a super-search warrant called a Title III order. In contrast, the Stored Communications Act sets up lesser privacy protections for access to stored communications. First, the law is much narrower; it applies only to files held by particular providers, and has much broader exceptions. Second, the prohibition against snooping on stored files is much narrower and ordinarily a misdemeanor. Third, law enforcement access to stored files is normally governed my a basic warrant requirement, rather than a super-search warrant requirement. Why the different treatment for stored and in-transit communications, you wonder? Well, there are a couple of reasons, but one important reason is that the Supreme Court suggested in Berger v. New York that in-transit interception requires special protections under the Fourth Amendment. (By the way, I discuss how the Wiretap Act applies to the Internet in the Big Brother article I linked to above. I also give a basic explanation of the Stored Communications Act in a forthcoming article you can download in draft form here.)
The Councilman case addresses an ambiguity in the line between the Wiretap Act and the Stored Communications Act. The question is, when is a file stored, and when is it in transit? This is a big question because on the Net communications are often at rest for very brief periods of time in the course of transmission, and the statutory text doesn't make particularly clear whether access to a file that is at rest for a nanosecond is supposed to be covered by the Wiretap Act or the Stored Communications Act. Councilman involved an ISP employee who wrote and installed a computer program to scan incoming e-mail of the ISP's customers; ISP employees would then read the e-mails and try to use them for the commercial advantage of the ISP. In a nutshell, the First Circuit held (by a vote of 2-1) that because the program scanned the e-mails while they were at rest for a nanosecond, the e-mails were in storage at that time and access to them was covered by the Stored Communication Act, not the Wiretap Act. Because Councilman had been indicted for violating the Wiretap Act, the Court affirmed the dismissal of Councilman's indictment.
Why is this decision a big deal? It's a big deal because the line between the Wiretap Act and the Stored Commmunications Act doesn't just regulate ISPs. It regulates everybody, including federal and state criminal investigators. The Justice Department and Congressional staffers have interpreted the Wiretap Act quite broadly and the Stored Communications Act quite narrowly, and based both existing practice and recent legislative amendments on that understanding. When I was at DOJ advising agents on this sort of thing, the informal yardstick was that when a law enforcement agent planned a series of accesses to a file or account, the repeated series of accesses triggered the Wiretap Act rather than the Stored Communications Act. So in a pre-Councilman world, an FBI agent couldn't make an end-run around the Wiretap Act by lining up a bunch of warrants and executing them once every ten minutes. This approach remained true to the Supreme Court's decision in Berger and also ensured that the strong privacy protections of the Wiretap Act were not gutted by end-runs around the statute.
The Councilman approach largely nullifies the Wiretap Act online, by contrast, with rather remarkable implications. It is my understanding that when the FBI gets a Wiretap order to install a network wiretapping device such as Carnivore, they usually install the device at a nanosecond-storage point. Well, guess what, folks-- that's no longer regulated by the Wiretap Act. Under Councilman , DOJ can install Carnivore with at most only a search warrant. Even worse, the FBI doesn't need a search warrant at all if the owner of the computer where Carnivore is installed consents and that owner is a University or business other than an ISP. Because the exceptions to the Wiretap Act are narrow while the exceptions to the Stored Communications Act are much broader, the switch from protection via the former to via the latter is not only a switch to lesser protection, but in many cases a switch to no protection at all. For example, if the FBI wanted to install Carnivore at my university's servers and the university was willing to let them do this, the FBI could monitor all of my incoming and outgoing e-mail (and all of the e-mail of everyone at the University, for that matter) in real-time without any legal process or oversight whatsoever. Do you remember the controversy over the "computer trespasser" exception to the Wiretap Act, which was one of the most controverial sections in the USA Patriot Act? Under Councilman, that kind of monitoring generally will not even implicate the Wiretap Act in the first place, so the monitoring is no longer limited by the specific statutory requirements of the trespasser exception. Bad stuff. Very bad.
There are rumors afoot that Congress may step in and fix this problem soon. Fortunately, the politics are a win-win: both DOJ and civil liberties groups want the prior understanding restored. There is even proposed statutory language floating about that would do the trick quite nicely. Let's hope that Congress acts sooner rather than later. Stay tuned.