informa
4 min read
article

Petraeus Snoop: 7 Privacy Facts

Investigation of former CIA director Petraeus introduces some tough privacy questions. The good news: it could lead to tighter protections for everyone.
4. ECPA Amendments Proposed, Again

Improved privacy protections, however, may be on the way. Thursday, Senate Judiciary Committee announced that on November 29, it plans to vote on amendments proposed to ECPA in September by the chairman of the committee, Sen. Patrick Leahy (D-Vt.), who was also the lead Senate author of the bill itself, which was enacted in 1986. As with a search of a car or house, Leahy's ECPA amendments would require the government to obtain a probable cause warrant before being able to access any email stored in the cloud.

"The legislation will make commonsense changes to existing law to improve privacy protections for consumers' electronic communications, and clarifies the legal standards for the government to obtain this information," read a statement released by Leahy.

Right now, ECPA doesn't always require a probable cause warrant to force service providers to turn over the contents of users' private emails, instant messages, and social networking messages, according to EFF's analysis of Leahy's proposals, which it has endorsed. "Nor does the government need a warrant if an email message is older than 180 days. This low threshold to electronic messages is in stark contrast to the Fourth Amendment protections for physical letters."

5. Email Privacy Protections Expire After 180 Days

Remember the innovative Gmail archive feature, through which no email need ever be deleted? Turns out it's a smorgasbord for any law enforcement agencies that are conducting surveillance. That's because the Justice Department currently maintains that any emails that have been read by the receiver and left in a mailbox--for example, on Gmail or Hotmail -- as well as saved drafts or copies of sent messages, and emails that are more than 180 days old, aren't covered by the Stored Communications Act.

But wait, there's more: "The government's view of the law was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages." As a result, the Department of Justice has instructed any investigators accessing emails that are older than 180 days, without a subpoena, to make sure they do so outside of the jurisdiction of the Ninth Circuit Court of Appeals.

6. Email "Minimization" Requirements Vague

Another privacy issue is that once investigators access an email account, they can review any of the messages they find. "The government is required to 'minimize' its collection of some electronic information," said EFF -- for example, when conducting wiretaps. "But when it comes to email, such minimization requirements aren't as strong. The DOJ Manual suggests that agents 'exercise great caution' and 'avoid unwarranted intrusions into private areas,' when searching email on ISPs but is short on specifics."

7. Incident Could Happen All Over Again

Did the Petraeus investigation break any laws? Apparently not, and that fact -- as well as the prospect that the FBI could similarly investigate anyone on what seems to be the flimsiest of pretexts -- has privacy advocates demanding that Congress finally extend the nation's privacy laws to cover people's personal electronic communications. As noted in the EFF email privacy primer, "If we learn nothing else from the Petraeus scandal, it should be that our private digital lives can become all too public when over-eager federal agents aren't held to rigorous legal standards."

Organizations challenged by meeting the requirements of multiple regulatory mandates are increasingly looking at the alignment of governance, risk, and compliance under a unified framework, GRC. In our report, A Security Pro's Guide To GRC, we examine where the security professionals figure into the mix and recommend the steps organizations should take to align IT GRC with existing security programs and processes. (Free registration required.)