Risk
4/26/2013
12:27 PM
50%
50%

Email Without A Warrant? Senators Not Sold

Update to 1986 Electronic Communications Privacy Act would require police to demonstrate probable cause before accessing someone's email or stored cloud data.

The Senate has advanced legislation that would require law enforcement agencies to obtain a warrant from a judge before they could access someone's email or other data stored in the cloud.

Currently, under the Electronic Communications Privacy Act (ECPA), law enforcement agencies can subpoena any email that's been opened by a recipient or that's more than 180 days old; no warrant -- and accompanying requirement to first demonstrate probable cause -- required.

But the Leahy-Lee ECPA Amendments Act, approved Thursday by the Senate Judiciary Committee, would prohibit warrantless access to stored, online communications. "The bill would require law enforcement agents to obtain a warrant in order to gain access to the contents of email and of documents, pictures and other information stored in the cloud," said Greg Nojeim, senior counsel at the civil rights group Center for Democracy & Technology (CDT), in a blog post.

[ Why can't lawmakers seem to get privacy legislation right? Read CISPA 2: House Intelligence Committee Fumbles Privacy Again. ]

"I have long believed that our government should obtain a search warrant -- issued by a court -- before gaining access to private communications," Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said earlier this month, reported The Hill. "I have worked over the last several years to update our federal privacy laws to better safeguard our privacy rights in the digital age."

The bill, co-sponsored by Leahy and Sen. Mike Lee (R-Utah), appears to enjoy strong bipartisan support, including that of ranking Senate Judiciary Committee member Sen. Chuck Grassley (R-Iowa).

Law enforcement, business and academic representatives have been urging Congress to revise the ECPA -- which was passed in 1986 and updated in 1994 and in 2001 -- for years, albeit not always in the same way. While civil rights groups have called for greater privacy protections to be extended to emails, for example, the Justice Department has lobbied Congress to leave ECPA unchanged.

Congressional efforts to reform ECPA seemed to gain renewed vigor last year, however, after the FBI's investigation into allegedly threatening emails sent anonymously to Jill Kelly, a friend of then-director of the CIA David H. Petraeus. The investigation revealed that Petraeus was having an extramarital affair with his biographer, Paula Broadwell. The pair coordinated their affair, at least in part, by saving draft emails to each other in a shared Gmail account, which the FBI would have been able to access without a warrant.

While ECPA was designed to balance people's privacy rights with the needs of law enforcement agencies investigating crimes, privacy rights groups have accused the Department of Justice of taking an overly broad interpretation to ECPA, based on the agency's reading that old emails aren't subject to the protection of the Stored Communications Act, which limits the ability of police to compel service providers to disclose data without a warrant.

After the Ninth Circuit Court of Appeals, which covers the western United States -- including California -- ruled that the Stored Communications Act did apply to emails, the Justice Department advised investigators that when accessing emails more than 180 days old without using a warrant, they should do so outside the court's jurisdiction.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
4/29/2013 | 5:59:47 PM
re: Email Without A Warrant? Senators Not Sold
Well said. It's easy, as many have done, to decry the government as a prying monster that needs to be shrunk down. But this is too simplistic a view. There are instances in which public safety necessitates that personal assets - whether digital, like email, or physical, like a house - be available for law enforcement perusal. When there's a transparent protocol, I don't have a problem with local or federal authorities looking at online communications or searching private homes. But when there are only weak checks and balances governing how private data is accessed for investigations, that's a different matter. It's already difficult today, and as you point out, it will only become harder if lawmakers don't get with the program. Even if one trusts our current leaders to wield powers responsibly, some of the precedents that are being set demand debate, especially since they give more wiggle room than most people realize for future applications and expansions.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
4/29/2013 | 1:50:30 PM
re: Email Without A Warrant? Senators Not Sold
Sometimes our elected officials can still surprise us with a reasonable appreciation of digital privacy issues (albeit a little slow). You had me until the final four words "stored in the cloud." So does that mean any privately maintained or business accounts do not fall under this modification? Are they talking private, public, or hybrid cloud? Still seems a little vague to me and open to discussion.

In my humble opinion, an email (open or otherwise) should be seen or applied equally to laws which govern an envelope laying in a private house on a table. You still need a warrant to enter and search the house (secured by a locked door much the same as a password provides to your email). You have taken reasonable measures to safeguard it as opposed to leaving it in an open mailbox on your front porch or in front of your house. Even then, wasn't the contents of a mailbox not at one time considered covered by Federal Law Title 18, Sections 1705 and 1708, which made it a federal offense to tamper with or withdraw without proper search and seizure?

This however is only one aspect of the assault on privacy and personal liberty. Video surveillance is increasingly being hidden behind overriding security issues, GPS stalking through a guise of "social apps" (don't you feel left out if you don't participate), and making it economically rewarding to businesses to sell or trade your personal information obtained through a desire to take advantage of online purchase or at home delivery. I am certain it all sounds a little paranoic to some, but they are all building blocks to construct an unconscious forfeiture of basic constitutional rights.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
4/29/2013 | 12:58:15 PM
re: Email Without A Warrant? Senators Not Sold
It's good to see the Congress is finally stepping up to take on the issue of protecting citizens' online rights. In theory, I am not opposed to law enforcement's use or access of private email -- so long as there is a warrant and a justification for needing to access it. Similarly, I do not have a problem with law enforcement entering a person's home -- again, so long as there is a warrant and a justification for doing so. If lawmakers don't take action now to protect citizens, future technological advances will make protecting citizens' privacy even more difficult.
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
4/27/2013 | 12:14:06 PM
re: Email Without A Warrant? Senators Not Sold
You are exactly correct. This is how the populace at large is entertained by such things as "gun control" while our basic rights are stripped away. Wake up and start to demand your right to privacy and being left the h+¬ll alone.
Steve Deraas
50%
50%
Steve Deraas,
User Rank: Apprentice
4/27/2013 | 3:44:14 AM
re: Email Without A Warrant? Senators Not Sold
Well thought, out well articulated, and absolutely correct!
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
4/26/2013 | 11:42:11 PM
re: Email Without A Warrant? Senators Not Sold
It's good that there's FINALLY bipartisan opposition to warrantless email monitoring. It would be great if this attitude extended to a lot of other important issues. But the DOJ's stance toward cyberlaw has still been troubling.

Last month, the Justice Department finally acknowledged that aspects of U.S. email laws need to be changed-- but that hasn't stopped DOJ lawyers from exploiting the dodgier laws when they feel like they need to, or from attempting to bully hacktivists with punishments that are more about making an example of someone than about fitting the alleged crime. I'm not saying that the DOJ hasn't had legitimate reasons for exploiting these rules; if there's a clear and present danger to the public, for example, then there's plenty of room for debate. But precedents are being established while a lot of important debates (Congress members' relationship to insider trading rules is another) are silenced under the heading of "national security," making it difficult for responsible citizens to tell when certain ideals might need to be re-examined in light of current realities, or when "national security" is being used as a catch-all to accelerate an action or silence debate.

Technology moves fast and lawmakers can do only so much to keep pace, so some amount of discord is inevitable. But the implications of many of these laws are profound, and we're not having transparent conversations about how we define the rights they affect. If that doesn't seem like a problem today, think what it will be like 10 years from now, when sensors are embedded in everything, and when every minutiae of our day-to-day existence, from where we are to whom we're with to what our heart rate is at any given instant, is documented. These developments could change the world for the better, but they also raise foreseeable issues that we should really strive to get right in the first place. There are already connected pacemakers collecting data that is generated by the patient but to which the patient has no legal access or ownership. As this sort of personal data-collection proliferates into new forms, the issue of who owns and has access to your data will be an important topic.

It's amazing that something like gun show background checks gets so much mainstream play relative to conversations about online rights. That's not to say one thing or another about the Second Amendment, but if lobbyists and lawmakers are going to maintain that some rights are so sacrosanct that they must be interpreted as widely as possible, why is a reasonable discussion of online privacy (which, I suspect, many people would consider a clear Fourth Amendment issue) so much harder to sustain?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.