Schneier on Security
A blog covering security and security technology.
« Cell Phone Stalking |
| Surveillance Cameras that Obscure Faces »
June 25, 2007
4th Amendment Rights Extended to E-Mail
This is a great piece of news in the U.S. For the first time, e-mail has been granted the same constitutional protections as telephone calls and personal papers: the police need a warrant to get at it. Now it's only a circuit court decision -- the Sixth U.S. Circuit Court of Appeals in Ohio -- it's pretty narrowly defined based on the attributes of the e-mail system, and it has a good chance of being overturned by the Supreme Court...but it's still great news.
The way to think of the warrant system is as a security device. The police still have the ability to get access to e-mail in order to investigate a crime. But in order to prevent abuse, they have to convince a neutral third party -- a judge -- that accessing someone's e-mail is necessary to investigate that crime. That judge, at least in theory, protects our interests.
Clearly e-mail deserves the same protection as our other personal papers, but -- like phone calls -- it might take the courts decades to figure that out. But we'll get there eventually.
Posted on June 25, 2007 at 4:13 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So how will this affect corporate email at all? I would assume email from your ISP is protected in this fashion, but corporate email is still owned by the business, yes? So they can still spy on you, and give your emails that they process/store?
"That judge, at least in theory, protects our interests."
How nice of him/her! Just like a loving, paternal, omnipresent parent, the judge, a government official, will watch over us and protect us from undue intrusion by other government officials.
Oh what a near-perfect statist paradise! We children of the state had better be grateful! It could be much worse!
Hmm, but I wonder what the Even Bigger Judges (Justices) of the Even More Important Court will have to say? I wonder if they too will tell us that their (contrary) decision is even more in our own best interest?
No matter! For then we'll have TWO parents to watch over us! Oh what a near-perfect statist paradise! We children of the state had better be grateful! It could be much worse!
Hurry now, back to work, so we can pay the salaries and benefits of our benevolent keepers.
Hi do ho, ho ho, it's off to work we go, with a hip and a hop, hi de ho....
"..they have to convince a neutral third party -- a judge.."
A judge is not a neutral third party.
City police often go to the city judge to get a warrant. The city judge and the city police are employed by the same organisation. Likewise, the county judge and the county police work for the same organisation. The county and city always work together.. they also have the exact same interests in mind.
The only judge that can be considered a neutral third party would be a Supreme Court Justice.. and even they work for the US government - which means they are biased as well.
Asking a police officer to go to a judge to get a warrant is nothing more than a formality.. not to mention a conflict of interest with regard to our rights.
I wonder if this applies to someone who hosts their own mail server. Granted, not many people fall into this category, but it makes me wonder. Consider this situation; the domain is registered by an individual who has an anonymous listing in WHOIS, operates their mail server themself and uses their email for whatever purposes. Since most people in this situation don't have a static IP they use a dynamic DNS service.
How long do you think the blackhats will take tracing the server back?
Surely, you libertarian idiots can stop your wanking long enough to recognise that requiring a judge's approval is at least better than allowing cops to just grab anybody's e-mails on a whim. Honestly, would you prefer to not include a judge in the process? Even if they both work for "The State", the more people involved the more likely it is, on aggregate, that at least the most egregious abuses will be uncovered and stopped.
A warrant is not just important in that it gives a judge a chance to stop the police from violating your rights. It also provides a paper trail so that decisions that potentially violate someone's rights can be audited and challenged after the fact. The defense in a trial can, for example, challenge the evidence obtained as a result of the warrant via a claim that the warrant was issued improperly. If it turns out that the warrant should not have been granted, then the evidence is invalidated. If the evidence is invalidated, the prosecution doesn't get to use it to convict you.
All this adds up to very, very good motivation for the judge to make sure they have a solid case before granting a warrant - if they grant a warrant that's later overturned, they've actually done harm to the prosecution's case.
A judge who abides by his oath is a neutral third party.
Warrants are based upon probable cause, not upon the presentation of proof beyond a reasonable doubt, which is the standard for conviction. A judge can conceivably sign a warrant and later, in the same case, dismiss charges due to lack of evidence, or even return a not guilty verdict after a bench trial. Many judges have performed the duties of the bench honorably and well.
We'd better hope that judges at all levels can be objective. We need that objectivity if we're to have any constitutional protections left, or if we're to regain any functional rights that we have lost.
But I so enjoy my wanking. And don't call me Shirley.
1. The cops can mine everything they want without restrictions, since their monitoring is not itself monitored. Then when they know what the goods are and where exactly to find them, they will email the judge to get a rubberstamp warrant. Result: zero protection.
2. The decision does not extend to the infrastructure. Analysis of the email traffic to, from, and within the White House would tell spies who has more actual clout, Karl Rove or Dick Cheney. Again: zero protection.
Among the most disturbing parts of the Sixth Circuit's opinion is the observation in footnote 1 on p.2 of the PDF:
"The government has conceded that it violated the statute by waiting for over a year without providing notice of the e-mail seizures to Warshak or seeking extensions of the delayed notification period, and it appears to have violated the magistrate’s decision for the same reason."
This incident is related in further detail in United States District Judge Susan J. Dlott's "Order [...] Entering Preliminary Injunction"
From p.3 of that order:
“The Magistrate Judge also found that ‘prior notice of this Order to any person of this investigation of this application and order by the government or NuVox would seriously jeopardize the investigation.’ (Id.) Accordingly, he ordered the application and order sealed ‘until otherwise ordered by the Court’ and provided that ‘the notification by the government otherwise required under [SCA subsection] 18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days.’ (Id.)”
The District Court further relates:
“On May 31, 2006, over a year after obtaining the NuVox 2703(d) order and nine months after obtaining the Yahoo 2703(d) order, the United States wrote to Warshak to notify him of the orders.4 (Doc. #1 Ex. 1 at 1, Ex. 2 at 1.) The Magistrate Judge had unsealed both orders the previous day, May 30, 2006, apparently on the United States’ motion.”
All in all, no matter what even the Supreme Court says, none of it makes a damn's worth of difference to any innocent people when agents of the United States don't follow the Court's orders.
You want email privacy? Then encrypt your email.
I read this blog because I occasionally enjoy some of the entries, but I usually roll my eyes at the naiveté of anything political that Bruce posts. It's really shocking that someone who is obviously very smart could think *so* uncritically about the promise of democracy. But it's nice to see some people challenging him in these comments.
So share your sophisticated analysis in detail, Mordecai.
Bringing up politics is a good point. In the long run, I s'pose nobody really cares too much about reading your love-letters—at least after your divorce is finalized. But politics is another matter.
If you know something about PGP or GPG, please volunteer to help your candidates. Email is already a big part of a modern campaign.
The judge who issues the warrant is not a neutral third party because he/she is chosen by the police. When the police apply for a warrant, they get to choose which judge to ask, within a relevant jurisdiction.
As somebody said, although it's not much of a safeguard, it is better than nothing.
I am from Germany, the world's leader when it comes to tapped phones (about 40000 each year, up from 3000 about 10 years ago). And yes, my phone has been tapped in the past, too.
For the police to tap a phone a court order is required, so in theory the supposedly "neutral" judge can protect your privacy by refusing. But in reality nearly 100% of the requests by law enforcement are signed by judges without questioning the motives, and whether the phone tap is necessary and justified. If the cops or a prosecutor wants to listen in on phone conversations, they ALWAYS get what they want. This has been ivestigated and documented by independent scientists who reviewed hundreds of cases.
When such surveillance measures are taken, the 'victim' must be notified when the investigation is over. And big surprise, who would have thunk, it almost never happens. Cops and prosecutors are clearly breaking the law and get away with it.
Without a doubt the same will happen with your precious email. Law enforcement will totally blow the accusations totally out of proportion and then get what they want.
Which part of "in theory" don't you people understand.
If the judges are so quick to sign warrents/etc why do the police/FBI what laws to cut them out?
Having a judge review the warrants acts as a filter that prevents some abuse. If a prosecutor wants access to your email or phone conversations he will have to present probable cause to the judge. Off course he can fabricate some allegations, or point to an anonymous tip from an "agent from an intelligence agency".
The biggest hole here is that prosecutors are hardly ever prosecuted for crimes they commit in their job. Lying to judges (perjury) is accepted, as long as you can get away with it. Most get away with it and get good reviews for number of "solved" cases.
Bruce, the following sentence is not accurate:
"For the first time, e-mail has been granted the same constitutional protections as telephone calls and personal papers..."
I take exception to the "has been granted" phrase. The government does not GRANT rights, it simply ACKNOWLEDGES rights that exist inherently. Which is what happened here.
I know it seems like nitpicking, but this one small detail about our Constitution (that it acknowledges, not grants, rights) is probably the most important issue in restoring liberty to this nation.
The idea behind a judge granting a warrant is that, although judges are not exactly saints, they get paid the same whether or nor they grant the warrant. So there is little incentive to be dishonest. The analogy to authentication protocols with a "Trent" character holds, just as Trent doesn't need to be a saint, just someone who has no incentive to cheat.
Even if the supreme court upheld it, wouldn't our Great Leader just choose to ignore it anyway, as he has with so much other legislation that runs counter to his agenda?
Really want to read that email, but those meddling judges won't let you? All you need to do in our current political climate is utter the magic phrase "terrorist plot" enough times to get the executive branch to take notice.
@ Mike K
"The government does not GRANT rights, it simply ACKNOWLEDGES rights that exist inherently."
Leftist-liberals don't believe that's true, Mike. For that matter, neither do most rightist-conservatives. People who believe in the primacy of the State hold as self-evident the idea that people are born devoid of any moral rights, and any rights or freedoms they come to possess are granted them by the authority of the State (which takes the form of a government official.) Just as legitimately, such rights can be taken away by such officials.
This is why we can read excitement into Bruce's post: he truly does believe it to be "great news" when a State official deigns to "grant" individuals a particular right or freedom. The official could have just as easily decided the other way, which of course would have been worse.
So how could we serfs not be thankful for being allowed another modicum of freedom? We better take what we can get before our local overseer changes his mind, right?
I cannot help wondering whether this is an attempt to head off increasing use of encryption. If usage were to become widespread, initial intelligence gathering would be limited to little more than traffic analysis, the results of which would presumably be leveraged into probable cause for a warrant, and/or would rely on the use of so-called 'live forensics' which would itself then be subjected to 4th Amendment scrutiny.
My understanding of the 6th Circuit's reasoning is that people expect privacy when sending emails, and so the Constitutional right to privacy extends to email.
Personally, though, I haven't had any expectation of privacy in email since I started using it. Police, schmolice -- I worry about random BOFHs. Sending (unencrypted) email is like sending a postcard: nothing stops anyone in the delivery chain from reading it.
(How much expectation of privacy did Melissa Scannell have when she sent that topless cellphone photo to her boyfriend?)
Honestly. Just encrypt your emails with GnuPG and use SSL to and from the servers.
And... more importatnly... Know and be able to trust who it is you're communicating with. If you don't know the person, then don't talk to thim or her.
Install a home WiFi router, and every consumer is warned that they must enable encryption, even if no files are shared on the network. Yet, the same users take the same computers to Starbucks, and use an un-encrypted connection.
On the other hand, when did the media, or any ISP, last advise people to get a free certificate and use e-mail encryption? It's free, very effective, and it's already integrated into Outlook and Eudora.
It's simple for corporations and individuals to ensure that their e-mail can only be read by the intended recipients. Instead, corporations place footers in their e-mail messages, advising unintended recipients not to read the message they just read.
While home users fiddle for hours to prevent a hacker from "invading" their Internet router, every e-mail they send and receive may be cached on a dozen servers, all of which can do whatever they please with the information.
The comment about corporate email, and businesses "spying" on their employees points out the blind spot of most protectionists of "workplace rights:" a business is absolutely LIABLE for the actions of its employees. Respondeat superiori is the theory of liability that rules whether an employer knew what the employee was doing or not. Negligent supervision is also often charged. One quick example is sexual harassment via email; I think everybody has heard about those cases. Some companies have addressed the issue of employee privacy and effective work habits by setting up a separate computer, usually direct-linked, in a break room, where employees can handle private tasks during their breaks, and not on company time. This gives employees access, protects their privacy, and also addresses the security issue of possible virus infection from internet sites, etc. that could wipe out a company's computers. Another issue is that the employer is paying for the employee's time, and the employee is using the employer's time/ equipment for personal tasks, which is actually just another form of white-collar crime. We certainly don't put up with that kind of activity when we hire somebody to work in our homes, on our yards, on our cars, etc., so why should we expect our employers to let it slide. Time is money, for sure, in today's business world. Where I work, we have more than one shift. Our desks are shared, and anyone can work anywhere. We don't expect "privacy," except on our breaks - where we get it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.