The Stored Communications Act, passed 25 years ago this month, includes rules that make data stored on remote computers vulnerable to law enforcement subpoena without requiring a warrant. However, even though the law hasn't been changed by Congress, recent court decisions have made the government less likely to pursue this type of data without a warrant. Bob talks to Forbes privacy blogger Kashmir Hill about these developments.
When the Internal Revenue Service in Newark, New Jersey wanted to track down and collect $250,000 from a tax scammer, it asked his Internet service provider to turn over the scammer’s past two years of emails. The government did so under the provisions of the Electronic Communications Privacy Act, or ECPA.
But despite ECPA, the service provider refused, telling the IRS to get a warrant, because while ECPA made sense when it was enacted 25 years ago, widespread storage of old email in the cloud has made all of us vulnerable to routine government snooping.
Privacy advocates have long fought to update this law, and now it seems the courts are helping them do the job. Kashmir Hill, who writes the Not-So Private Parts blog for Forbes.com, explains the origins of this 1980s legal loophole.
At that time email was stored locally on your computer. But now most of our email lives in the cloud; we can access it from anywhere, which is wonderful and convenient, except when the law was created it was assumed that once that email was sitting up with your provider for more than 180 days, more than six months, it was basically abandoned. So it was fine for law enforcement to go in and look at it without a warrant.
What puzzles me is why there was a lower standard for search and seizure of stuff that was deemed to be abandoned? It's still my stuff.
I think that email that had been left with the service provider for more than six months was essentially seen as - like the trash that you leave on the curb. And like the trash that you leave on the curb, law enforcement was allowed to, to go through it.
Can you put a number to how many requests the government is making for this kind of stuff?
There's no reporting requirement in ECPA, so law enforcement doesn't have to say how often it goes fishing for this. There is one company that's very transparent about this, Google.
And they just released their report for the first half of 2011, and they received over 6,000 requests for 11,000 different accounts. And that is just the first half of 2011. And that's a 30 percent increase over their numbers from the latter half of 2010.
Now, this question has been litigated. Tell me about the case U.S. v. Warshak.
Well, this is a case involving Steven Warshak, referred to as a sex pill peddler. He had a herbal supplements company, where he was selling something called Enzyte.
Enzyte, that’s the Smilin’ Bob commercials, and Bob’s smilin’ because he’s been enhanced.
This is Bob. Bob is looking cool. And with a call to Enzyte about natural male enhancement, Bob is livin’ large. In a few short weeks, Bob has a big new spring of confidence, a generous swelling or pride. And the one thing every man deserves, a little well-earned respect from the neighborhood.
Many customers said that the supplement didn't work. So Warshak was investigated for deceiving customers, fraud. He eventually was investigated by the IRS, the FBI, the FDA.
And because of the loophole, they were able to look at 27,000 emails that had been exchanged by Warshak and his colleagues. He was convicted and given a 25-year prison sentence, but he was shocked that law enforcement was able to just look at tens of thousands of his emails without a warrant.
And so, he challenged this. It went up the legal system to the Sixth Circuit, which is the highest court below the Supreme Court. And they found that the Stored Communications Act violates the Fourth Amendment, which protects us against unreasonable searches and seizures.
The legal scholar Paul Ohm called it a watershed moment in privacy, in terms of extending our constitutional rights to the Internet.
Now, the government is free to regard this as precedent in only one jurisdiction and go about business as usual elsewhere. Is that what the government's doing?
It doesn't look like it. There's a particular case where a tax collector in Newark was trying to get email from an Internet service provider in the Ninth Circuit, which is where California is. And the email provider said, no, we're not going to give you the contents of this person's email, and pointed at the Sixth Circuit decision.
The tax collector in Newark objected, but the senior counsel for the IRS told the York tax collector, yes, we see this decision of the Sixth Circuit as being binding nationally. You know, government agencies don't want to build cases by going to people's emails without a warrant, getting evidence that will later be struck down.
All I can tell you is that privacy advocates are very reassured by this case out of the Sixth Circuit, because it has established precedent that it is unconstitutional to go reading people's emails without a warrant.
All right. Kashmir, thank you very much.
Thank you, Bob. It was a pleasure.
[MUSIC UP AND UNDER]
Kashmir Hill writes the Not-So Private Parts blog for Forbes.com.