Unwarranted, p.30
Unwarranted,
p.30
Part of the reason our federal Constitution contains a right to an indictment by the grand jury stems from the famous trials of John Peter Zenger. Zenger was a printer in the 1700s harshly critical of New York’s colonial governor. Thrice the government tried to prosecute Zenger; each time the grand jury refused to issue an indictment. Similarly, grand juries refused to let Stamp Act prosecutions go forward in the run-up to the Revolutionary War. Historically, grand juries—at their own initiative—pursued official wrongdoing and unveiled official corruption. During the Progressive Era, grand juries were the downfall of big city machines like that of Boss Tweed.23
Today, though, grand juries are nothing but the tool of prosecutors, who wield the subpoena power in the grand jury’s name, but with no real supervision by the jurors themselves. That’s why it is said that if a prosecutor asked, the grand jury would “indict a ham sandwich.” The country got a vivid taste of this when Special Prosecutor Ken Starr went after President Bill Clinton for perjury and obstruction of justice involving his affair with Monica Lewinsky. Not only did Starr subpoena Lewinsky’s semen-stained dress, he also used a subpoena to get his hands on Monica Lewinsky’s hard drive containing love letters to Clinton. He even hauled off the computer of one of Lewinsky’s friends, ultimately revealing to the world the friend’s private, intimate letters about her honeymoon in Tokyo.24
Congress eventually dispensed altogether with the pretense that the grand jury is supervising the prosecutor, authorizing government officials to issue subpoenas without a grand jury anywhere in the picture. Whether it was antitrust violations or failure to follow wage and hour laws, the notion was that administrative officials could not find offenders if they had to have probable cause before even beginning to investigate. More recently, the line between administrative agencies and prosecutors was obliterated. Statutes now empower prosecutors to go after health care fraud and child sex offenders by issuing their own subpoenas. Investigating health care fraud, prosecutors—with no showing of probable cause and no grand jury in existence—have forced doctors to turn over not only their financial records, but patient records, lists of magazines and journals they read, information about courses they take, and the financial records of their children. As one doctor fighting off a health care fraud subpoena pointed out, if a government agent came to take his papers without a warrant, that would violate the Fourth Amendment; and if the government agent got a warrant without probable cause, that also would violate the Fourth Amendment; so how come a prosecutor can just write out his own subpoena and demand the same papers?25
The failure of all checks on government prying was when Congress decided to give the FBI—not even prosecutors, but a policing agency—its own form of subpoena authority, National Security Letters (NSLs). Initially, NSLs were available only if the FBI had “specific and articulable facts” indicating that the person being investigated was “a foreign power or the agent of a foreign power.” When Congress passed the USA Patriot Act in the wake of 9/11, though, it substantially broadened the Bureau’s NSL powers. Now NSLs can be used to get information from anyone—foreign agent or not—so long as the FBI says the information is “relevant” to an authorized terrorism or intelligence investigation. Using this incredibly loose standard, the FBI is collecting everything from credit information to telephone toll and email subscriber records on American citizens. Following adoption of the Patriot Act, the number of NSLs skyrocketed to tens of thousands annually. The DOJ Inspector General’s office found widespread abuse of the practice, from substantially underreporting the number of requests in reports to Congress, to issuing something called “exigent letters”—for which there was zero authority in law—to gather information quickly without even meeting the minimal requirements for NSLs.26
The president’s Privacy Review Group on Intelligence and Communications Technologies, appointed by President Obama to investigate government spying in the wake of the Snowden revelations, urged the elimination of the NSL practice. “[I]t is important to emphasize,” Group members wrote, “that NSLs are issued directly by the FBI itself, rather than a judge or by a prosecutor acting under the auspices of a grand jury.” The Review Group found itself “unable to identify a principled argument why NSLs should be issued by FBI officials.” This remains the law, nonetheless.27
The rationale for letting law enforcement officials issue their own subpoenas is that—supposedly—the government acts under the ultimate supervision of the courts. Anyone who doesn’t think a subpoena is legit can come to court and challenge its validity. If the court agrees, it tosses the subpoena out—“quashes” it, in the lexicon.28
The first problem with this supposed justification is that in defending its subpoena in court, the government still does not have to show probable cause. It need only demonstrate that the subpoenaed information is “relevant” to a government investigation. Relevance is a whole lot less than probable cause, which is precisely why the subpoena is likened to a blank check. Probable cause means the government has cause to believe you did something wrong; “relevance” just means they think they need it whether you are under suspicion or not.29
But the real kicker is this: If the subpoena is served on a third party, like in the Miller case or the WikiLeaks case, the target won’t know about it, and so wouldn’t know to complain to a court in the first place. And even if companies like Twitter want to tell customers about the data hunt, they typically are forbidden by law from doing so. Gag orders are the order of the day. Many of the laws that authorize subpoenas and D-orders have provisions forbidding the recipient from telling the target. One judge, who balked at the practice, said that, in seeking to get a subscriber’s emails off its servers, the government wanted “Microsoft gagged for … well, forever.”30
CONGRESS STEPS IN
At the dawn of the digital age, it was clear to all concerned that congressional legislation was needed to regulate law enforcement’s access to electronic communications. Under the existing Wiretap Law, adopted in 1968, the government had to get a sort of “superwarrant” before it could listen in on telephone conversations. But no protection at all existed for email or other electronic information. It took no genius to see that given the Supreme Court’s third-party rule, and the government’s broad subpoena power, all the information in the hands of the new information service providers was going to be easy prey for government poaching. Not only was that bad for individual privacy, it also was bad for business: the burgeoning Internet companies needed to be able to assure customers that their data would remain secure. Even law enforcement needed help: In the face of the Supreme Court’s liberal third-party doctrine, states were adopting their own privacy laws to protect third-party disclosures, making a uniform solution essential. So civil libertarians and industry joined together, with support from law enforcement, to get Congress to do something.31
In response, in 1986, Congress enacted the Electronic Communications Privacy Act. At the heart of the ECPA rested the distinction, drawn initially by the Supreme Court in the Smith case, between what today we call “metadata”—such as the addressing information on an email, or the number that was dialed from a particular phone—and the “content” of those communications. Under the ECPA, the most protection is accorded to the content of communications. Before the government can get this information it generally needs a traditional warrant issued by a judge and based on probable cause. On the other hand, if the government wants noncontent “records” stored with third-party providers, the sort of D-order that was used in the WikiLeaks case will suffice. To obtain such an order the government need only provide a court with “specific and articulable facts” showing the information is potentially “relevant and material” to a criminal investigation. That’s not a whole lot; among other things, the government need not show the target has done anything wrong. Finally, armed with nothing but a subpoena issued by the government itself, under the even looser “relevance” standard, agents can get ahold of basic subscriber data such as name, address, log in, and account information.32
Although the ECPA may have made sense in the early days of digital technology, its shortcomings have become glaring in a world no one could even imagine in 1986. The theory was that the more private the information, the higher level of suspicion and judicial supervision required. But it has not worked out that way.
First, the ECPA contains a strange loophole that allows the government to gather a lot of email with nothing but a subpoena. Email—like phone conversations—undeniably contains “content” and thus seems to require the highest level of protection—a probable cause warrant. And under the ECPA, if an email is sitting on a server for less than six months, a warrant is indeed needed before the government can read it. But if the email sits there for more than six months, the government can simply issue a subpoena and get it. Why this bizarre “six month” distinction? Because when the ECPA was adopted in 1986, third-party storage was extremely expensive, and the assumption was that people would download their emails to their own computers to avoid incurring these costs. If they had not downloaded the email, the thought was that the email had been abandoned, and the government should be able to access it. But who, today, doesn’t store emails with commercial providers for more than six months?33
Then, there’s the widespread storage in the cloud of data other than email. In 1986, no one could have anticipated how much of our private lives would be kept on third-party servers—our personal documents, our diaries, our photos. All of this is undeniably “content.” Yet, under the ECPA, it appears a warrant is not necessary to get any of this material either.34
Finally, there’s the underprotection of metadata. The ECPA requires no probable cause to get this information. But metadata is often all the government needs to pry our lives apart. “In the analog world,” explains the Electronic Privacy Information Center’s Marc Rotenberg, “the transcript of the phone conversation was obviously more valuable than looking at a pattern of phone numbers.” That was the “old style” approach to law enforcement investigation.” But the “new style … is all about data, all about network analysis. In that world the data is more important than the calls. It is more objective, it can’t be modified; people can’t use a code to hide its meaning.”35
The best example of the privacy implications of collecting metadata is location tracking. The New York Times explained in 2012 that “[i]n most cases, law enforcement officers do not need to hear the actual conversation; what they want to know can be discerned from a suspect’s location or travel patterns.” Government requests for cell phone location data have skyrocketed even as old-fashioned wiretap requests have become a disappearing breed. That’s because, as the Times elaborated: “location data can be as revealing of a cellphone owner’s associations, activities, and personal tastes as listening in on a conversation, for which a warrant is mandatory.”36
The ECPA as originally adopted makes little sense today, but in fairness it was simply asking too much of Congress—or anyone else in 1986—to have the faintest clue what the future would hold. In 1984, in the run up to enactment of the ECPA, only 5 percent of homes had a personal computer. The World Wide Web as we know it did not exist. Congress had not authorized the development of the Internet for commercial use, and the first Web browser was seven years away.37 Email was a novelty to most; those who had it paid for it, and the idea of services such as Gmail was beyond the ken. Similarly with cell phones. The year before the ECPA was passed there were fewer than 1,000 cell sites. By 2010 one estimate put the number at more than 250,000.38
By very early in the twenty-first century, though, the overwhelming consensus was that the ECPA was seriously out of date and needed to be fixed. At a 2004 conference on Internet surveillance at George Washington Law School, every commentator who discussed the ECPA, no matter their ideological stripes, called for “changing it in fairly significant ways.” In 2010, Digital Due Process, a wide-ranging coalition of tech companies, individuals, and organizations from across the political spectrum, formed to lobby for ECPA reform. By 2015, groups as diverse as the conservative Heritage Action for America and the liberal ACLU even agreed on what needed done, which was to step up the standards by which government obtained information, including—in many cases—requiring a warrant and probable cause.39
But Congress was frozen because law enforcement—which also recognized the law needed to be changed—could not get comfortable with the proposed reforms.
LAW ENFORCEMENT’S TECHNOLOGY PROBLEM
By the middle of the second decade of this millennium, law enforcement faced a tough problem of its own. In a high-profile speech given on October 16, 2014, FBI Director Jim Comey explained that developments in communications technology were making it difficult for law enforcement to keep up. The question he asked was “Are Technology, Privacy, and Public Safety on a Collision Course?” 40
Comey’s central point was this: even when law enforcement could and did get orders from judges to engage in surveillance, technological change was rendering those orders “nothing more than a piece of paper.” When the Wiretap Act was passed in 1968, if law enforcement needed to know what was said on the telephone call, all it needed were “two alligator clips and a tape recorder.” Not only was the technology relatively straightforward, but there was only one provider, the monopoly known as Ma Bell. Now, though, things are more complex: “If a suspected criminal is in his car, and he switches from cellular coverage to Wi-Fi, we may be out of luck. If he switches from one app to another, or from cellular voice service to a voice or messaging app, we may lose him.” “The bad guys know this,” said Comey. And “they’re taking advantage of it every day.” 41
Early in the digital revolution, in 1994, Congress had given law enforcement a hand by enacting the Communications Assistance for Law Enforcement Act, or CALEA, which required communications firms to design their equipment specifically to ensure that law enforcement could conduct surveillance. But, as Comey told his audience, CALEA had been adopted “[t]wenty years ago—a lifetime in the Internet Age.” The same problem of unanticipated change that had made the ECPA obsolete in protecting our privacy was doing the same with regard to law enforcement’s ability under CALEA to get what it needed. For example, CALEA applied to “communications” companies, but it exempted “information” firms. Obviously, no one in Congress had foreseen the volume of Internet vehicles for communicating that we have today: Google Hangouts, apps that allow people to talk with one another, digital games that permit players to scream and yell but also to send messages. There are thousands of new “information” firms that facilitate communications, many of them start-ups whose hardware and software leave no room for law enforcement to gain access.42
And so, Comey declared, law enforcement was at risk of “going dark.” “Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority.” 43
Indicative of the problem, in Comey’s mind, was Apple’s move to encrypt iPhones passcodes so only the owner could unlock the phone and access data on it. With its iOS8 update, Apple told consumers, “it’s not technically feasible for us to respond to government warrants for the extraction of this data.” Rather, “[w]e’ve built privacy into the things you use every day.” Comey’s address came just a month later, and he singled out Apple—as well as its competitor Android, which was following suit. “Both companies are run by good people, responding to what they perceive as market demand. But the place they are leading us is one that we shouldn’t go without careful thought and debate as a country.” 44
Soon enough, the country was treated to an example of what Comey said was wrong. Two homegrown terrorists, inspired by Islamist terrorists abroad, attacked a gathering of public health workers in San Bernardino, California, killing and wounding more than thirty people. As part of its investigation, the FBI obtained a court order requiring Apple to develop software so that FBI investigators could get into the telephone used by one of the perpetrators. As an epic court battle attracted the nation’s attention, an anonymous third party surfaced to show the FBI how it could gain access to the information it wanted, without Apple’s assistance. That resolved the immediate case. But there was no gainsaying the issue would be back before long.45
LAW ENFORCEMENT’S POLITICAL PROBLEM
The problem law enforcement faced in 2014 was technical, but—as Comey himself recognized—it was equally political. “In the wake of the Snowden disclosures,” he conceded, “the prevailing view is that the government is sweeping up all of our communications.” Comey sought to assure people “that is not true,” and issued dire warnings about the risks we face from those who would do us harm if law enforcement cannot get the information it needs, even with a warrant.46
The wall Comey was running into was that repeated news reports of government snooping on Americans, combined with instances of official dissembling—such as the president of the United States claiming none of it was happening prior to the Snowden revelations proving him wrong—had eroded the trust law enforcement requires to do its job. Law enforcement had gotten so aggressive in grabbing data, that by the time Comey spoke of the challenge of “going dark,” many people were no longer in any mood to make it easier for them to do so.
Law enforcement simply has had a hard time hearing the society’s concern about government collecting private information from third-party providers. The harm in the Snowden disclosures, Comey said, “has extended—unfairly—to the investigations of law enforcement agencies that obtain individual warrants, approved by judges.” But the fight is not just about warrants, and if it were, then law enforcement might get a lot more of what it wants. The government consistently has taken legal positions—often based on the poor drafting of the ECPA—that would give it access to email communications held by third parties, without a warrant or probable cause.47 And, if you carefully parse the speeches and testimony of law enforcement officials, they talk about getting “court order[s] or warrant[s].” In other words, government still believes it should be able to get information from third parties using only subpoenas or D-orders. This was clear in joint testimony Comey and Deputy Attorney General Sally Quillian Yates gave to the Senate Judiciary Committee in July 2015. They bluntly expressed concern about a world in which “users have sole control over access to their devices and communications,” and discussed the need to use court orders “to recover the content of electronic communications from the technology provider.” Users, on the other hand, seem to think they should have “sole control” over their own devices and communications.48



