Peter A Clarke

The Economist has recently run a number of fascinating pieces on Data Privacy in the US and Europe.  In Out of shape the focus is on ever expanding demand on service providers (and others) for data.

It provides:

SNOOPING, like so many things in life, is going mobile and online. In 2011 Google received 12,271 requests for data from the American government and acceded to all but a few of them. American mobile-phone carriers together fielded more than 1.3m such requests. Some covered multiple subscribers. Some were for “tower dumps”, which reveal the phone numbers of everyone—criminal suspects or not—in range of a certain mobile-phone tower at a certain time.

The rate of government requests has been growing: Verizon, America’s biggest mobile-service provider, says it has gone up by 15% in each of the past five years. Large mobile companies now have teams of employees that do nothing other than respond to government requests for data.

This is happening partly because technology makes snooping easier, and partly because the law has not caught up with the technology. In the offline world, governments generally need a judge to sign a warrant to put a wire-tap in place; the same goes for a physical search of property. In the online world, most data—concerning who called or e-mailed whom, or visited what website, though not the content of a communication—is handed over without any such judicial review.

This is not just an American issue; European states are at least as careless of their citizens’ privacy as America. The European Union’s Data Retention Directive requires telecoms firms to store vast amounts of data about their customers’ activities, which may then be provided to law-enforcement agencies. In Britain, a draft Communications Data bill gives intelligence agencies even wider powers to intercept and store such data.

There are decent arguments in favour of giving governments such powers. Criminals, as well as law-enforcement agencies, make effective use of digital communications, so states need to be able to respond in kind. Rescue services sometimes need phone data to locate someone who needs urgent help. And where such information can help catch criminals, it should be made available. But there are also arguments for greater restraint. Communications technology these days compromises people’s privacy more than it used to. Mobile-phone records can reveal where people are, what websites they visit, what they are interested in and what they buy. Law-enforcement agencies should not be allowed unrestricted access to such complete, and intrusive, pictures of people’s lives.

Rewind, please

There is, at least, some kickback. The European law has been found unconstitutional in several member states, and the European Commission intends to revise it. But Britain’s bill seems likely to become law, despite much criticism. In America, the main federal law on the subject was written in 1986, when the internet barely existed. It badly needs an overhaul.

A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.

In a related article Little peepers everywhere the Economist focuses on how privacy protections have not kept up with the change and use of technology.  Warrants, requiring demonstration of probably cause, are required to listen to telephone messages but not on mobile numbers or collection of emails, where certification that the information is relevant is all that is required.  It provides:

IN FEBRUARY 1928 the Supreme Court heard the case of Roy Olmstead, whose conviction on bootlegging charges relied on evidence obtained by tapping his phones. Olmstead contended that this violated the fourth amendment, which protects against “unreasonable searches and seizures”. The court disagreed: it held that the fourth amendment protected Olmstead’s person, home and office, but that telephone wires “are not part of his house or office any more than the highways along which they are stretched.”

As telephones became more common, the Olmstead standard grew more untenable. It ended in 1967, when the court decided that fourth amendment protections extend anywhere a person has “a reasonable expectation of privacy”. If police wanted to wiretap a phone, they now needed a warrant, just as they would if they wanted to search a person’s home.

But the warrant requirement applies only to the actual conversation, not to the numbers dialled from a phone. Tracking these numbers requires a “pen/trap” tap (pen registers track the numbers called out from a phone, trap-and-trace devices record the numbers calling in). In 2001 the Patriot Act allowed pen/traps to be served on internet-service providers (ISPs) as well, where they reveal e-mail senders and recipients, the size of each e-mail sent and received, the IP address with which a computer communicates and the sites visited while browsing the web. The standards for getting a pen/trap approved are far lower than for getting a wiretap. The Electronic Communications Privacy Act (ECPA), which was passed in 1986 and remains the main law governing access to electronic communication, requires police only to certify to a court that the information is relevant to an investigation. For a wiretap, police must show both probable cause and that “normal investigative procedures have been tried and failed.”

Wiretaps, which have increased almost tenfold since data was first reported in 1969, are only the tip of the surveillance iceberg. In 2011 federal and state courts approved a total of 2,732 wiretaps; but government agencies made over 1.3m requests for data to mobile-phone companies. That figure includes wiretaps and pen/traps, but it also includes requests for stored text messages, device locations and tower dumps, which reveal the presence of everyone—suspects and not—within range of a particular mobile-phone tower at a particular time. Most of these requests require no warrants at all. Sometimes all it takes is a subpoena from a prosecutor.

Internet companies have also seen a sharp rise in requests from law-enforcement agencies for information about their users. Between July and December 2010 Google received 4,601 requests; in the same period last year that number jumped to 6,321. Among the things that Google is typically asked for are account information and location data. Twitter, a microblogging service, received 679 requests from American authorities for information about users in the first half of this year, which is more than it got in all of 2011. The firm says it complied with three-quarters of these requests, though it does not say whether it handed over all or simply a fraction of the information requested in each case. Google, which says it complied with 93% of the requests from American officials in its most recent reporting period, is similarly vague about what it coughs up.

Web firms say that police tend to grab as much information as they can rather than targeting specific items relevant to a case, so they have to vet requests carefully. Twitter is also pushing back in court. Earlier this month a judge in New York ordered Twitter to hand over almost three months’ worth of messages from a protester involved in the Occupy Wall Street movement accused of disorderly conduct. Twitter opposed the request, arguing that its users have a reasonable expectation of privacy (perhaps oddly, given that anyone can follow a twitterer). The judge disagreed; on July 18th, Twitter appealed.

The previous day, the American Civil Liberties Union (ACLU) appeared in federal court to force the Department of Justice (DoJ) to make public how often it uses pen/traps. That would be a welcome development. The eight mobile-phone companies that were asked collectively for data 1.3m times last year revealed that information by choice, in response to a letter from a congressman who was prompted to inquire by an article in the New York Times. The Pen Register Statute, passed as part of the ECPA, requires the DoJ to report its use of pen/traps to Congress. But it has published no reports since 2009.

The ECPA could also do with a thorough scouring. When it became law there were only 340,000 mobile-phone subscribers in America, and the internet was the province of hobbyists and academics. Distinctions that made sense then no longer do. E-mail is subject to differing sets of protections when it is being typed, sent and stored. A bank statement printed out and kept in a drawer, saved on a personal computer or stored in a private e-mail account is also subject to varying standards.

Metadata (the records of who people call and e-mail, and when, as distinct from the content of conversations) can now be amassed on a vast scale, and run through powerful software that can use it to create a fairly complete portrait of a person’s life and habits—often far more complete than just a few recorded conversations. It deserves more protection than it now receives. And citizens, especially those suspected of no crime whose data is gathered up in a dragnet, deserve more clarity on what law enforcement does with their data and how long they keep it. Even with the best of intentions, the ECPA is almost impossible to apply consistently or fairly. Such murkiness serves no one well.

Beyond such changes lies America’s vast national-security apparatus. Among the many expansions of government snooping power contained in the Patriot Act after the attacks of September 11th, 2001, it became far easier for the FBI to issue national-security letters, which compel service providers to turn over vast amounts of data about the recipients of such letters without a court order. The FISA (Foreign Intelligence Surveillance Act) Amendments Act allows intelligence agencies to eavesdrop on communications between Americans and people overseas without a probable-cause warrant. FISA investigations require an order from the FISA Court—which meets in secret, and in the 32 years from 1979 to 2011 rejected a grand total of 11 applications. They are subject to no other review.

The interest, if not obsession, by some government agencies for data is on display in New York’s fight with Twitter over data Twitter holds.  New York wants records of an Occupy Wall Street protester.  The basic facts and details of the legal skirmish, which may be a prelude to something bigger is found here.  It provides:

Twitter has decided to appeal a recent ruling in the legal battle between the social network and New York State over the tweet records of an Occupy Wall Street protester. According to All Things D, Twitter announced today that it’s not giving up protecting the rights of its users.

The melee began in May when New York County Criminal Court Judge Matthew Sciarrino Jr. subpoenaed Twitter to hand over three months of basic user information and tweets from one of its users, Malcolm Harris. Harris is currently being prosecuted for disorderly conduct at an Occupy Wall Street protest on the Brooklyn Bridge last October where more than 700 other alleged protesters were arrested.

Twitter’s terms of service state that its users “retain [their] rights to any content [they] submit, post, or display on or through” the site. And the social network has maintained this stance throughout these legal proceedings. In May, Twitter’s legal counsel Ben Lee said, “Our filing with the court reaffirms our steadfast commitment to defending those rights for our users.”

Since then, three consumer rights groups — the American Civil Liberties Union, the Electronic Frontier Foundation, and Public Citizen — joined the social network, filing a “friend of the court” brief, which argues that allowing the government access to an individual’s Twitter account information would chill free speech.

But to no avail, Judge Sciarrino still ruled that Twitter must hand over Harris’ data. In an opinion he wrote earlier this month, the judge said that Twitter users have no reasonable expectation of privacy because tweets are public.

Now, as the battle continues, Twitter is not surrendering. “We’re appealing the Harris decision,” Lee wrote in a tweet today. “It doesn’t strike the right balance between the rights of users and the interests of law enforcement.”

Further relevant articles found here and here.