CDT POLICY POST Volume 10, Number 13, July 30, 2004
A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Email Privacy Protection Called into Question by Federal Appeals Court
Decision
(2) Loophole for Law Enforcement Access to Internet Communications
(3) ISPs Can Access Email in Transit Without Violating Wiretap Act
(4) Legislative Fixes Being Considered
---------------------------------------
(1) Email Privacy Protection Called into Question by Federal Appeals Court
Decision
A recent court decision has revealed a significant gap in email privacy
protection. The U.S. Court of Appeals for the First Circuit ruled in
United States v. Councilman that an email provider does not violate
federal wiretap laws when it opens emails to its customers and uses
them for its own competitive business purposes. Although the decision
applies only in a few New England states, its interpretation of
Internet privacy laws if more broadly accepted would weaken protections
for real-time communications over the Internet.
Current law provides different legal standards for access to
communications while they are in transit and while they are in storage.
Real-time access to communications in transit is subject to the strict
procedures of the federal Wiretap Act (also called "Title III"). The
Stored Communications Act provides less stringent standards for
obtaining access to stored emails. Councilman essentially moved
Internet communications from the more stringent requirements of
Title III to the less stringent protection of the Stored
Communications Act.
In Councilman, the email provider was copying customer emails on an
ongoing basis just before they were placed into the recipients'
mailboxes on the provider's server. The court found that because
the email messages were very briefly stored (literally for
milliseconds) on the ISP's computer before going into the
recipients' mailboxes, the ISP did not violate the Wiretap Act's
prohibition on intercepting email while it is in transit.
Since digital transmissions are stored in RAM or on hard drives at
each step along their path while computers process them and send
them on their way, all email could be accessed while in "storage,"
and most acquisitions of email would fall outside the strict rules
of Title III. This has significant privacy ramifications with
regard to both law enforcement and ISP access to Internet
communications.
* United States v. Councilman,
http://www.cdt.org/wiretap/20040630decision.pdf
* The Wiretap Act ("Title III"),
http://www4.law.cornell.edu/uscode/18/pIch119.html
* The Stored Communications Act,
http://www4.law.cornell.edu/uscode/18/pIch121.html
---------------------------------------
(2) Loophole for Law Enforcement Access to Internet Communications
The First Circuit's interpretation creates a potential loophole for law
enforcement agents to intercept email or other Internet-based
communications in real time without abiding by the strict requirements
of Title III. Because ongoing interception of communications is
uniquely intrusive, Title III prohibits real-time interception of voice
or email communications in transit without a wiretap order and other
procedural safeguards. The Councilman decision undermines that
requirement. Instead, access to email that is essentially real-time
would be subject to the lower standards of the Stored Communications
Act, which sometimes require a search warrant for government access and
sometimes permit government access with a mere subpoena meaning there
is no court approval at all.
With a search warrant or subpoena, the government is only supposed to
get whatever the service provider has in storage at the time the order
is executed. Even the Department of Justice has always assumed that
ongoing access to Internet communications requires a wiretap order
under Title III. The Councilman decision calls that interpretation
into question.
---------------------------------------
(3) ISPs Can Access Email in Transit Without Violating Wiretap Act
In addition to the question of government access, the Councilman
decision has highlighted a weakness in the privacy duties of ISPs.
Councilman did not change the law in this regard, but it pointed out
that while email is in storage with an ISP, an ISP can read and use
that email, without notice or consent, for its own business purposes.
ISPs have legitimate reasons for reviewing email, such as protecting
the security of their networks, but the law also allows an ISP to use
a customer's email for its own purposes unrelated to providing
Internet service and without notifying the customer.
This is clearly inconsistent with the spirit and intent of the
electronic privacy laws, clearly incompatible with the expectations of
users, and clearly at odds with industry norms as reflected in the
privacy policies of major ISPs. In the Electronic Communications
Privacy Act of 1986, which amended Title III and created the Stored
Communications Act, Congress intended to provide privacy protection
to email that is roughly comparable to that afforded telephone calls
and postal mail.
It is now clear that there is an unintended loophole in the law.
ISPs should only be allowed to read and use their customers' email
when necessary to protect the ISPs' rights or enforce the terms of
service, or with prior informed consent. Councilman did not
significantly change the rules for ISPs, but it highlighted a major
loophole in our privacy laws, which essentially permit ISPs to access
and use, and in some cases even disclose to others, their customers'
stored email.
---------------------------------------
(4) Legislative Fixes Being Considered
Congressional action to address both aspects of the Councilman
decision has already begun. A bipartisan group of Members of Congress
introduced a House bill, the E-mail Privacy Act of 2004 (H.R. 4956),
which would amend both Title III and the Stored Communications Act.
The bill, sponsored by Rep. Jay Inslee (D-WA) and cosponsored by
Rep. Jeff Flake (R-AZ), Rep. Roscoe Bartlett (R-MD), and Rep. William
Delahunt (D-MA), would both ensure that law enforcement officials have
to obtain a wiretap order in order to engage in real-time acquisition
of Internet communications, and that ISPs cannot read and use their
customers' email except where necessary to provide service or with
consent. A second bill, H.R. 4977, sponsored by Rep. Jerrold Nadler
(D-NY), addresses the same issues.
* H.R. 4956, [http://thomas.loc.gov/cgi-bin/bdquery/z?d108:hr4956:]
* H.R. 4977, [http://thomas.loc.gov/cgi-bin/bdquery/z?d108:hr4977:]
* More on wiretap laws, http://www.cdt.org/wiretap/wiretap_overview.html
---------------------------------------
Detailed information about online civil liberties issues may be found
at http://www.cdt.org/ .
This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_10.13.shtml .
Excerpts may be re-posted with prior permission of
ari@cdt.org
Policy Post 10.13 Copyright 2004 Center for Democracy and Technology
--
To subscribe to CDT's Activist Network, sign up at:
http://www.cdt.org/join/
If you ever wish to remove yourself from the list, unsubscribe at:
http://www.cdt.org/action/unsubscribe.shtml
If you just want to change your address, you should unsubscribe
yourself and then sign up again or contact: mclark@cdt.org
--
Michael Clark, Grassroots Webmaster
mclark@cdt.org
PGP Key available on keyservers
Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
http://www.cdt.org/
voice: 202-637-9800
fax: 202-637-0968
========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]