The bill, (S.1265/H.R. 2738), would curtail the practice of law enforcement and intelligence agencies purchasing personal information like location data from data brokers. The Fourth Amendment Is Not For Sale Act would also close loopholes in the Electronic Communications Privacy Act of 1986 (ECPA).

Read the full letter + the list of signatories here.

The post CDT Joins Coalition Letter Calling for Congressional Hearings on Fourth Amendment Is Not For Sale Act appeared first on Center for Democracy and Technology.

The day before the Patriot Act passed in October 2001, Center for Democracy & Technology (CDT) founder Jerry Berman warned, “This bill has been called a compromise, but the only thing compromised is our civil liberties.” This week, CDT hosted a discussion looking back at the enactment of the Patriot Act and the expansion of government surveillance after 9/11, evaluating how the landscape for government surveillance authorities and civil liberties has evolved in the 20 years since, and exploring how we should go forward in the present day.

The event began with a fireside chat between former U.S. Senator Russ Feingold, the lone “no” vote in the Senate against the Patriot Act, and Laura Murphy, who managed the ACLU’s Legislative Office in Washington, D.C. at the time of the bill’s passage. 

The two reflected on the speed with which the bill moved through Congress, despite containing “an old wishlist of the FBI… because they knew it was going to pass.” Feingold remarked that many other members of the Senate admitted that they never read or even gained a basic understanding of what was in the Patriot Act. But their review, said Murphy, revealed that “some of the authorities went far beyond anything we could have imagined.” 

At the time, polling across the country revealed that people were — presciently — worried about the government snooping, including on what they were reading. In the years since, both Feingold and Murphy felt vindicated for pointing out the major civil liberties concerns with the legislation, and they both stressed the importance of having conversations in the present day about how civil liberties should be protected for everyone’s benefit.

Following the conversation between Feingold and Murphy, Washington Post reporter Shane Harris moderated a panel discussion between Laura Donohue, Director of Georgetown University’s Center on National Security; Chris Fonzone, General Counsel at the Office of the Director of National Intelligence; and Sharon Bradford Franklin, Co-Director of CDT’s Security & Surveillance Project.

Franklin highlighted a consistent thread in CDT’s advocacy since 2001: that we want the government to keep us safe, and we also need robust guardrails for government surveillance with firm roots in our legal system. But the period around 9/11 begot what Harris called radical changes, and sometimes secret reconsiderations, to longstanding surveillance laws. Said Franklin, “A problem with the Patriot Act was that it removed guardrails that had been in place, or failed to extend guardrails for some of the new authorities that were being created.” 

In evaluating the decisions made in the immediate aftermath of the 9/11 attacks, Fonzone said, “The first thing I’d flag that we got wrong is that we overshot, and as we’ve gotten further from 9/11, we’ve pulled some things back, and that’s something we’ve gotten right.”

The Patriot Act expanded the ability of government to obtain a broad range of business records without a warrant, and to issue National Security Letters or administrative subpoenas — and for both of these authorities, it removed the requirement that the government show that the information related to a foreign power or an agent of a foreign power. Section 702, a program that allows warrantless collection of the content of communications, had its origins in the top secret Stellar Wind program conducted under a claim of inherent presidential power and was then codified by Congress in the Foreign Intelligence Surveillance Amendments Act, also remains problematic: among other issues, once the government has collected information, current rules allow it to search that data for information about specific Americans without a warrant or court review. 

The panelists continually returned to the impact of the Snowden revelations on the debate over U.S. government surveillance. According to Donohue, at the time of the June 2013 leaks, only six Foreign Intelligence Surveillance Court (FISC) cases were in the public domain, and now there are about 100. She also pointed out that, once the government’s secret interpretation of Section 215 of the Patriot Act was revealed by Snowden and found to be illegal, all three branches responded: the Privacy and Civil Liberties Oversight Board (PCLOB) became higher-profile, President Obama put together a review board and issued Presidential Policy Directive 228, and the FISA court — which had never had a public filing — then had 160 within a year. 

In that same year, Members of Congress introduced a broad range of proposals to reform government surveillance, ultimately resulting in enactment of the USA FREEDOM Act of 2015. The bill, which Murphy called the first substantive amendment to the Patriot Act, purported to end bulk collection of Americans’ communications information under Section 215, among other reforms.

Donohue said that USA FREEDOM “shifted the landscape, to allow the court to hear from parties adversarial to government surveillance.” The law created the role of amici, or friends of the court, but Franklin said that there is still a need to expand the cases in which amici appear, give amici full access to information in the matters in which they appear, and let amici petition for an appeal to the FISA Court of Review or Supreme Court. 

Fonzone agreed that the role of amici is important: “The fact that the government is willing to subject its arguments to the court, have an amicus come in and make counterargument, appeal it, and then when it loses take the court’s order, that I think is the system working that we’ve set up.” The panelists further discussed what constitutes counsel that is functionally adversarial to the government, and the government’s fiduciary duty to the kinds of arguments it makes behind closed doors to a court.

Other areas of concern mentioned by the panelists include government abuse of state secrets privilege to get entire suits dismissed; the extent to which judicial opinions remain classified; and oversight of government surveillance beyond the FISC. They also included loopholes in the Electronic Communications Privacy Act that allow the government to bypass requirements for warrants or other judicial orders by purchasing information from data brokers; how to fit new technologies into old statutory language; and the separation of powers issues posed by the specialized nature of the FISC.

Going forward, the panelists concurred with Fonzone that, in this post-9/11 national security era, we need to be able to constantly consider the types of authorities we have in the U.S., and whether they are the right ones. Fonzone specified that this process should be as transparent as possible, and Donohue highlighted the continued importance of fidelity to law, judicial discretion, and established processes.

Fonzone and Franklin drove home that other jurisdictions are also playing a role in prompting a debate over surveillance authorities — particularly following the decision by the Court of Justice of the European Union that struck down the Privacy Shield, citing insufficient safeguards under U.S. surveillance law for protections of personal data. 

Franklin added, “That’s another opportunity for our government to take a long, hard look at our surveillance laws and adopt reforms. There’s a lot the government can do without Congress. We need to move forward with a comprehensive review of our surveillance laws in a meaningful way.” And the 2018 decision in Supreme Court case Carpenter — which held that the government needs a warrant before collecting sensitive location information — has given her hope: “If you think through the analysis of Carpenter and what it recognized about sensitive information that reflects the privacies of life, you would come to the conclusion that [the warrant requirement] covers a lot more information in a lot more contexts.”

The full event is available to view on CDT’s YouTube Channel.

The post Reflecting on 20 Years of the Patriot Act: U.S. Surveillance Authorities Must Still Change appeared first on Center for Democracy and Technology.

The law in question is the Electronic Communications Privacy Act (ECPA) – which CDT has sought to reform for years to address the reality of communications in the modern digital age – and the government’s use of ECPA to issue orders preventing cloud service providers from notifying their customers that the government has sought access to a customer’s private electronic data. Such gag orders tread on the First Amendment rights of cloud providers because they restrict them from talking to their customers. And by barring that speech, the gag orders deprive the cloud users of a chance to challenge the government’s conduct, including that the subpoena may be overbroad or may call for information protected by law from disclosure (such as the attorney-client privilege).

Both First Amendment free speech rights and Fourth Amendment safeguards against unreasonable searches are at issue when it comes to ECPA gag orders. We argue in our brief that the court should require the government to meet a high legal standard when it tries to impose such gag orders.

We were represented by Mayer Brown, and the Chamber of Commerce, Internet Association, and the National Association of Manufacturers joined us on the brief.

The post CDT Files Brief Urging Court to Rein in ECPA Gag Orders appeared first on Center for Democracy and Technology.

Chairman John McCain
Ranking Member Jack Reed
Senate Committee on Armed Services

Chairman Mac Thornberry
Ranking Member Adam Smith
House Armed Services Committee

Dear Chairman McCain, Chairman Thornberry, Ranking Member Reed and Ranking Member Smith,

We, the undersigned civil society organizations, companies and trade associations, write to express our support for the Email Privacy Act which was recently included in the House passed version of the National Defense Authorization Act (NDAA) for Fiscal Year 2019. The Act updates the Electronic Communications Privacy Act (ECPA), the law that sets standards for government access to private internet communications, to reflect internet users’ reasonable expectations of privacy with respect to emails, texts, notes, photos, and other sensitive information stored in “the cloud.”

The bill would end ECPA’s arbitrary “180-day rule,” which permits email communications to be obtained without a warrant after 180 days. The Act would also reject the Department of Justice interpretation of ECPA that the act of opening an email removes it from warrant protection. These reforms would ratify the Sixth Circuit’s decision in U.S. v. Warshak, which held that email content is protected by the Fourth Amendment and that law enforcement access requires a probable cause warrant. Moreover, the changes reflect current practices: DOJ and FBI policies already require law enforcement officials seeking content to obtain a search warrant, and many service providers will not relinquish their users’ content without one.

The bill passed by the House does not achieve all of the reforms we had hoped for. Indeed, it removes key provisions of the proposed bill, such as the section requiring notice from the government to the customer when a warrant is served, which are necessary to protect users. However, it does impose a warrant-for-content rule with limited exceptions. It represents a carefully negotiated compromise which preserves existing exceptions to the warrant requirement, provides a new ability for civil agencies to obtain access to previously public commercial content, and maintains the government’s ability to preserve records and obtain emails from employees of corporations. We are particularly pleased that the bill does not carve out civil agencies from the warrant requirement, which would have expanded government surveillance power and undermined the very purpose of the bill, or contain unnecessary and overbroad mandatory emergency exceptions. Such changes or other broad warrant exceptions would represent a step back from the status quo, particularly in light of the recent Carpenter decision where a majority of the justices on the Supreme Court endorsed a lower court decision applying a warrant standard when law enforcement seek emails.

For these reasons, we support the Email Privacy Act and urge that it be included in the final NDAA without any amendments that would weaken the protections afforded by the bill.

Sincerely,

ACT | The App Association
Adobe
ALEC Action
American Civil Liberties Union
Americans for Prosperity
Amazon
American Association of Law Libraries
American Library Association
Americans for Tax Reform
Association of Research Libraries
Box Inc.
Brennan Center for Justice at NYU School of Law
BSA | The Software Alliance
Center for Democracy & Technology
Cisco Systems, Inc.
Committee for Justice
CompTIA
Computer & Communications Industry Association
Consumer Action
Consumer Technology Association
Council for Citizens Against Government Waste
Data Foundry
Digital Liberty
Discovery Institute
Dropbox
Due Process Institute
Electronic Frontier Foundation
Engine
Facebook
FreedomWorks
Future of Privacy Forum
Giganews
Golden Frog
Google
Information Technology and Innovation Foundation
Information Technology Industry Council (ITI)
Institute for Policy Innovation
Internet Association
Internet Infrastructure Coalition
National Association of Criminal Defense Lawyers
National Taxpayers Union
NetChoice
New America’s Open Technology Institute
Oath
Rapid7
Reform Government Surveillance
Software & Information Industry Association
Sonic
Taxpayers Protection Alliance
TechFreedom
TechNet
U.S. Chamber of Commerce
Wikimedia Foundation

The post Letter to Armed Services Committee on the Email Privacy Act appeared first on Center for Democracy and Technology.

So what’s going on? Back in 2010, a federal appeals court held in case called U.S. v Warshak that emails were protected by the Fourth Amendment and required a warrant. That ruling has never been challenged by the Department of Justice and since then the major tech companies have treated that as the law of the land. The practical result is that when police seek a suspect’s communications, they get a warrant. This hasn’t proved controversial and investigations have continued over the intervening decade without major complaint from law enforcement.

This is the time for Congress to act on a long overdue update.

However, efforts to formally adopt that standard into federal law through legislation called the Email Privacy Act, haven’t been as successful. In spite of the strongest possible support in the US House of Representatives – unanimous approval of a legislative fix – the Senate has never taken up the legislation. That can and should change this week. The language of the Email Privacy Act has been included in the House (but not the Senate) version of must pass legislation, the National Defense Authorization Act (NDAA). House and Senate leaders are meeting this week to iron out differences between the bills.

The case for amending ECPA to include this fix has never been stronger. It enjoys support from groups across the ideological spectrum and tech companies both large and small. In the recently decided US v Carpenter, a case holding that searches of cell phone records require a warrant, the Supreme Court spoke favorably about the need to protect the content of communications with a warrant as well.

So what is the hold up? Certain members of the Senate and law enforcement have resisted this  technical fix by insisting it include unrelated measures like the so called “ECTR fix.” Others have called for radical changes to how ECPA operates, such as allowing law enforcement to bypass the warrant requirement anytime they claim something is an emergency. Supporters of the bill, including CDT, have rightly resisted these changes, noting that it doesn’t make sense for Americans to give up major privacy rights in exchange for protections they already enjoy.  Additionally, the Email Privacy Act already makes changes for law enforcement, including granting police a longer period to delay notice of investigations and requiring providers to promptly respond to requests.

The Email Privacy Act provides important legal certainty for everyone who stores communications in the cloud and won’t change current police practices. It also helps global customers who store information in the U.S. but may not be protected by the U.S. constitution. This is the time for Congress to act on a long overdue update.

The post Congress Has a Chance to Get It Right on Email Privacy appeared first on Center for Democracy and Technology.

The District Court of the Eastern District of Virginia based its decision on a rigid interpretation of a convoluted definition applicable to the SCA – a part of the Electronic Communications Privacy Act (ECPA) that CDT and the Digital Due Process Coalition have been trying to update for eight years. The SCA subjects to civil liability anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains … access to a wire or electronic communication while it is in electronic storage in such system.” In this case, the plaintiff alleges that the defendant gained unauthorized access to his Gmail account. Whether the defendant is liable under the SCA turns in large part on whether opened email in that account was in electronic storage.

Instead of defining “electronic storage” as the storing of communications electronically, the applicable law defines “electronic storage” as:

“(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

“(B) any storage of such communication by an electronic communication service for backup protection of such communication.” 18 U.S.C. 2510(17).

This has the benefit of distinguishing the communications that a communication service provider holds electronically on its own behalf as corporate records from the communications of the provider’s users. Only the users’ communications are protected by the SCA. But, it has the unfortunate side effect of inviting interpretations that unduly limit the scope of the protections Congress intended the SCA to provide to users. In this case, the District Court reasoned that an opened email meets neither prong of this definition, agreeing with the Eighth Circuit which reached a similar conclusion in Anzaldua v. Northwest Ambulance and Fire Protection District, 793 F.3d 822, 839 (8th Cir. 2015).

The district court decision conflicts with the determination of the Ninth Circuit in Theofel v. Farely-Jones, 359 F.3d 1066 (9th Cir. 2004), which found that opening an email is irrelevant to determining whether the email is in electronic storage. We argued that the Theofel rule should prevail because Congress intended the SCA to provide broad privacy protection to such communications when they are held by electronic communications service providers. We also point out that with the explosive growth of cloud computing – which permits users to access their content stored in the cloud from any device – the backup protection that is being afforded is to the user, as opposed to the provider. Thus, the email in question is in electronic storage because it is being held as backup protection for the user.

Hately v. Watts is a civil case with implications for the criminal context: whether a communication is in electronic storage can determine not only whether unauthorized access results in civil liability, but also whether disclosure of the communication to law enforcement is governed by the SCA or not, and if governed by the SCA, whether the warrant requirements in the statute apply. Those implications, coupled with the split in the circuits on the “opened email issue” create a possibility that the Supreme Court will step in and finally resolve whether opening an email strips it of the protections afforded in the SCA to communications in electronic storage held by providers of electronic communications service.

Congress might also address the issue by enacting the Email Privacy Act, H.R. 387. The Email Privacy Act would subject to a warrant requirement any communications content that is “in electronic storage with, or otherwise stored, held or maintained” by an electronic communications service. This language would make it clear that the SCA protects email in an electronic communications service regardless of whether it has been opened. The Email Privacy Act includes a rule of construction that makes it clear that corporate records of the provider itself are not subject to the SCA warrant requirement. On February 6, 2017, the House passed the Email Privacy Act unanimously, and the legislation has been attached to the National Defense Authorization Act (H.R. 5515), which the House passed on May 24, 2018. However, concerns in the Senate that have dogged the legislation for three years have not yet been resolved, making prospects for passage of a clean Email Privacy Act difficult to secure in this Congress.

In light of the uncertainty of achieving success in Congress, we have sought to achieve success in the courts, and a determination that opening an email message does not adversely impact the protections afforded it under the Stored Communications Act.

The post Did Congress Intend the Stored Communications Act To Protect Only SPAM? appeared first on Center for Democracy and Technology.

However, the district court’s decision in this case would strip these communications of the protections of ECPA and the SCA as soon as they are opened. Paradoxically, spam and other unwanted, unopened messages would retain these vital privacy protections, while the most intimate and important personal communications would no longer enjoy SCA protections against unauthorized access by individuals, the government, and other entities. Furthermore, because other circuits have correctly held that opening an electronic communication does not deprive it of the protections of ECPA and the SCA, affirming the district court’s decision would provide electronic communications with different levels of protection in different states, and as people travel between states, undermining the fundamental purpose of ECPA and the SCA. Accordingly, this Court should reverse the district court’s summary judgment that, because they had been opened, the emails in this case were not “in electronic storage” for the purposes of the SCA.

The post CDT Amici Curiae Brief in Hately v Watts appeared first on Center for Democracy and Technology.

The post Memorandum on Human Rights Criteria for Cross-Border Demands appeared first on Center for Democracy and Technology.

Twelve civil society groups and trade associations joined CDT on the brief, including Americans for Tax Reform, New America’s Open Technology Institute, the U.S. Chamber of Commerce, the National Association of Manufacturers, and the Business Software Alliance.

We have followed the Microsoft-Ireland case closely because the Court’s decision will have worldwide implications for privacy and could spur Congressional movement on the Email Privacy Act, H.R. 699, which passed the House unanimously last year but is stalled in the Senate. The Email Privacy Act would require law enforcement officials in the U.S. to obtain a warrant in order to gain access to the contents of online, non-public communications.

The Court’s decision in this case is just one part of addressing the growing problem of cross-border data demands. Increasingly, data needed to investigate a crime in one country is stored in another country. The Microsoft-Ireland case is about whether law enforcement officials in the country conducting the investigation can, in essence, use the coercive power of a warrant served on a communications service provider to reach outside its borders to gain access to the data they need. The country where the data is stored may have data protection rules that bar or place conditions on the transfer of data, which may conflict with granting such access.

Other, more cooperative mechanisms are being explored to address this problem. These include improving the existing system of disclosures pursuant to Mutual Legal Assistance Treaties (MLATs, or bilateral agreements permitting access across borders with certain limitations); a multi-lateral agreement in the form of a protocol to the Budapest Cybercrime Convention that is currently being negotiated at the Council of Europe; and an initiative at the European Commission. CDT believes that robust human rights protections need to be built into any mechanism designed to facilitate cross-border demands for users’ internet communications.

The post CDT Argues Against Extraterritorial Warrants in Microsoft-Ireland Brief appeared first on Center for Democracy and Technology.

Today Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) introduced a sweeping, bipartisan measure to modernize our electronic communication privacy laws. Lee and Leahy have long been champions of reform, advancing measures such as the Email Privacy Act. The ECPA Modernization Act of 2017 goes well beyond that effort and proposes important updates to the Electronic Communications Privacy Act (ECPA) – a law Senator Leahy helped draft more than 30 years ago – to address the reality of communications in the modern digital age.

While ECPA was impressively forward-looking when it was passed, the rapid pace of technological change has made many of its provisions inadequate to protect the privacy of Americans. The most important, privacy-protective provisions that this [name of bill] would address are:

• Warrant requirement for communications stored in the cloud:  Law enforcement seeking to obtain communications content, such as emails, photos, or texts held by a third party, would first have to obtain a warrant. The actual text in the bill is the same as that of the Email Privacy Act, which was twice passed unanimouslyhere, here and here.
• Warrant requirement for location information: One unfortunate side effect of the mobile revolution is that we are not just carrying around a smartphone, but we are also carrying around a portable tracking device – one that routinely shares our location with 3rd parties. This bill would make it a requirement for law enforcement to obtain a warrant before accessing location information. As Justice Sotomayor wrote in United States v. Jones “Disclosed in [GPS] data . . . will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.” Revealing this type of sensitive information to the government simply can’t be the price for enjoying the convenience of mobile technologies.
• New limits on metadata collection: Metadata is data our devices and web services generate about how we communicate. It is not the contents of communication, but information such as who we are calling or texting, our friends on social media and where we go online. This was not protected under ECPA, but with this bill, the government would have to specify why it needs particular types of data and be limited to gathering just that type of data. The bill also improves how specific types of phone records are collected (known as call detail records), making it so that the protections apply whether the collection happens in real time or after the records are stored by a provider.
• Notice of when a search occurs: This legislation would put an affirmative obligation on the government to tell people when they invade their privacy. In the physical world when the government enters your home with a search warrant, you know about it (most of the time). This lets you contest the constitutionality of the search and learn when your privacy was invaded. But currently in the online world, because our communications are held by 3rd party service providers, we don’t automatically learn about searches (unless providers tell us).
• Reform of gag rules: Sometimes the subject of an investigation can’t be informed that investigation is happening – it might cause the suspect to flee or tamper with evidence. In those cases, a provider is gagged from telling a customer about the search. Unfortunately, in recent years those rules have been abused and orders have been too frequently sealed, sometimes forever. For example, over a recent 18-month period, Microsoft received 5,624 requests from federal law enforcement. 2,576 were under seal. This section reforms those rules so that gags can only last for a set period before the subjects of investigation are automatically alerted.
• Suppression remedy: The Lee-Leahy bill would create a real remedy for illegal actions taken by the government in collecting electronic communications, mirroring existing protections found in federal wiretapping statutes. Under the Fourth Amendment, when the government collects information in violation of the law, a suspect has the right to go to a court and get that information thrown out or, in legal terminology, suppressed. This is a key protection which keeps the police honest by giving them a clear incentive to play by the rules. This remedy doesn’t exist in ECPA right now, meaning that if police conduct an illegal search under today’s law, the suspect has no recourse.

All of these updates reflect to real, fundamental updates that are necessary for citizens to enjoy their full Fourth Amendment rights regardless of what form of communications they use. Please reach out to your Senator and urge them to cosponsor the ECPA Modernization Act and join with Senator’s Lee and Leahy in building bipartisan support for comprehensive privacy reform.

The post The Bill Our Privacy Desperately Needs in the Digital Age appeared first on Center for Democracy and Technology.