photo by WilliamBanzaix
WASHINGTON—Republican and Democrat lawmakers expressed renewed skepticism Wednesday about the scope of the government’s surveillance operations and threatened to revoke authority for one of the programs recently disclosed by a former National Security Agency contractor that collects telephone records on tens of millions of Americans.
“This is unsustainable, outrageous and must be stopped immediately.”
Noting mounting concerns since details about the telephone records program and a separate operation that collects the communications of non-U.S. citizens abroad were disclosed last month, Rep. James Sensenbrenner, R-Wis., said there “are not enough votes to renew” the authority, at least for the vast phone records collection effort.
“This program has gone off the tracks,” Rep. Zoe Lofgren, D-Calif., said, “and it needs to be reined in.”
But Justice Department and NSA officials asserted that the programs were the subject of strict oversight by the Foreign Intelligence Surveillance Court, Congress and agency officials.
“This is not done in some rogue manner,” Deputy Attorney General James Cole told the panel. “We know of no one who has abused this in a way that would have caused discipline.”
Though former NSA contractor Edward Snowden disclosed the existence of the operations without authorization prompting criminal charges related to espionage, Deputy NSA Director Chris Inglis said the government has no evidence that he “abused the data.”
The strong questioning from lawmakers comes more than a month after Snowden’s disclosures triggered a heated debate over the intersection of the government’s surveillance authority and personal privacy rights.
Snowden has taken refuge in the transit area of a Moscow airport since fleeing Hong Kong last month to avoid extradition to the U.S.
Rep. Spencer Bachus, R-Ala., said that while he was “satisfied” that government officials overseeing the programs were acting in good faith, he said there was “concern that this could evolve into something quite different.”
“How do we keep this from evolving into an unchecked weapon that can be used against people’s rights?”
Cole said the phone record collection program contained multiple safeguards against inappropriate breaches of privacy. Echoing defenses offered by other administration officials, he said collection did not involve the content of phone calls, nor did it include the names of the parties to the calls.
“You can’t just wander through these records,” he said.
Responding to repeated questions about the vast nature of the collection effort, Cole said at one point: “If you are looking for the needle in a haystack, you have to have the haystack.”
No Warrant, No Problem: How The Government Can Still Get Your Digital Data
The U.S. government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified.
PHONE RECORDS: Who You Called, When You Called
Listening to your phone calls without a judge’s warrant is illegal if you’re a U.S. citizen. But police don’t need a warrant — which requires showing “probable cause” of a crime — to get just the numbers you called and when you called them, as well as incoming calls, from phone carriers. Instead, police can get courts to sign off on a subpoena, which only requires that the data they’re after is relevant to an investigation — a lesser standard of evidence.
Police can get phone records without a warrant thanks toSmith v. Maryland, a Supreme Court ruling in 1979, which found that the Constitution’s Fourth Amendment protection against unreasonable search and seizure doesn’t apply to a list of phone numbers. The New York Times reported last week that the New York’s police department “has quietly amassed a trove” of call records by routinely issuing subpoenas for them from phones that had been reported stolen. According to The Times, the records “could conceivably be used for any investigative purpose.”
LOCATION DATA: Your Phone Is a Tracker
Many cell phone carriers provide authorities with a phone’s location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smartphones. The major cell carriers, including Verizon and AT&T, responded to at least 1.3 million law enforcement requests for cell phone locations, text messages and other data in 2011. Internet service providers can also provide location data that tracks users via their computer’s IP address — a unique number assigned to each computer.
Many courts have ruled that police don’t need a warrant from a judge to get cell phone location data. They only have to show that, under the federal Electronic Communications Privacy Act (EPCA), the data contains “specific and articulable facts” related to an investigation — again, a lesser standard than probable cause.Delaware, Maryland and Oklahoma have proposed laws that would require police to obtain a warrant for location data; Gov. Jerry Brown of California, a Democrat, vetoed a similar bill last September. Last year, the Senate Judiciary Committee approved a bill championed by Sen. Patrick Leahy, a Vermont Democrat, which would have updated the ECPA but wouldn’t have changed how location data was treated. Leahy and Sen. Mike Lee, a Utah Republican, introduced a similar bill last month, which remains in committee. Rep. Zoe Lofgren, a California Democrat, introduced a separate bill in the House of Representatives last month that would require a warrant for location data as well as emails.
IP ADDRESSES: What Computers You Used
Google, Yahoo, Microsoft and other webmail providers accumulate massive amounts of data about our digital wanderings. A warrant is needed for access to some emails (see below), but not for the IP addresses of the computers used to log into your mail account or surf the Web. According to the American Civil Liberties Union, those records are kept for at least a year.
Police can thank U.S. v. Forrester, a case involving two men trying to set up a drug lab in California, for the ease of access. In the 2007 case, the government successfully argued that tracking IP addresses was no different than installing a device to track every telephone number dialed by a given phone (which is legal). Police only need a court to sign off on a subpoena certifying that the data they’re after is relevant to an investigation — the same standard as for cell phone records.
EMAILS: Messages You Sent Months Ago
There’s a double standard when it comes to email, one of the most requested types of data. A warrant is needed to get recent emails, but law enforcement can obtain older ones with only a subpoena. Google says it received16,407 requests for data — including emails sent through its Gmail service — from U.S. law enforcement in 2012. And Microsoft, with its Outlook email service, disclosed last month that it had received 11,073 requests for data last year. Other email providers, such as Yahoo, have not made similar statistics available. In January, Googlesaid that it would lobby in favor of greater protections for email.
This is another area where the ECPA comes into play. The law gives greater protection to recent messages than older ones, using a 180-day cutoff. Only a subpoena is required for emails older than that; otherwise, a warrant is necessary. This extends to authorities beyond the FBI and the police. I.R.S. documents released this week by the American Civil Liberties Union suggest that the I.R.S.’ Criminal Tax Division reads emails without obtaining a warrant. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would require a warrant for the authorities to get all emails regardless of age. The Justice Department, which had objected to such a change, said last month that it doesn’t any longer.
EMAIL DRAFTS: Drafts Are Different
Communicating through draft emails, à la David Petreaus and Paula Broadwell, seems sneaky. But drafts are actually easier for investigators to get than recently sent emails because the law treats them differently.
The ECPA distinguishes between communications — emails, texts, etc. — and stored electronic data. Draft emails fall into the latter, which get less protection under the law. Authorities need only a subpoena for them. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would change that by requiring a warrant to obtain email drafts.
TEXT MESSAGES: As With Emails, So With Texts
Investigators need only a subpoena, not a warrant, to get text messages more than 180 days old from a cell provider — the same standard as emails. Many carriers charge authorities a fee to provide texts and other information. For texts, Sprint charges $30, for example, while Verizon charges $50.
The ECPA also applies to text messages, according to Hanni Fakhoury, a lawyer with the Electronic Frontier Foundation, which is why the rules are similar to those governing emails. But the ECPA doesn’t apply when it comes to actually reading texts on someone’s phone rather than getting them from a carrier. State courts havesplit on the issue. Ohio’s Supreme Court has ruled thatpolice need a warrant to view the contents of cell phones of people who’ve been arrested, including texts. But the California Supreme Court has said no warrant is needed. The U.S. Supreme Court in 2010 declined to clear up the matter.
CLOUD DATA: Documents, Photos, and Other Stuff Stored Online
Authorities typically need only a subpoena to get data from Google Drive, Dropbox, SkyDrive, and other services that allow users to store data on their servers, or “in the cloud,” as it’s known.
The law treats cloud data the same as draft emails — authorities don’t need a warrant to get it. But files that you’ve shared with others — say, a collaboration using Google Docs — might require a warrant under the ECPA if it’s considered “communication” rather than stored data. “That’s a very hard rule to apply,” says Greg Nojeim, a senior counsel with the Center for Democracy & Technology. “It actually makes no sense for the way we communicate today.”
SOCIAL MEDIA: The New Privacy Frontier
When it comes to sites like Facebook, Twitter and LinkedIn, the social networks’ privacy policies dictate how cooperative they are in handing over users’ data. Facebook says it requires a warrant from a judge to disclose a user’s “messages, photos, videos, wall posts, and location information.” But it will supply basic information, such as a user’s email address or the IP addresses of the computers from which someone recently accessed an account, under a subpoena. Twitter reported in July that it had received 679 requests for user information from U.S. authorities during the first six months of 2012. Twitter says that “non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process.”
Courts haven’t issued a definitive ruling on social media. In September, a Manhattan Criminal Court judge upheld a prosecutor’s subpoena for information from Twitter about an Occupy Wall Street protester arrested on the Brooklyn Bridge in 2011. It was the first time a judge had allowed prosecutors to use a subpoena to get information from Twitter rather than forcing them to get a warrant; the case is ongoing