Politech: Orin Kerr on Councilman case: "Sky *is* falling!" [priv]

[Declan McCullagh <declan () well com>]

Previous Politech messages:
http://www.politechbot.com/2004/07/06/isp-wiretapping/
http://www.politechbot.com/2004/07/13/isp-monitoring/


-------- Original Message --------
Subject: my take on Councilman
Date: Wed, 14 Jul 2004 18:45:08 -0400
From: Orin Kerr <okerr () law gwu edu>
To: <declan () well com>

Declan,

I just posted some thoughts on the Councilman case and I thought you 
might be interested.  The original post and relevant links are available 
at http://volokh.com/archives/archive_2004_07_14.shtml#1089840267
Feel free to post if you like.

Best,
Orin

_________________________________

UNITED STATES v. COUNCILMAN: THIS TIME THE SKY REALLY *IS* FALLING

In debates on Internet surveillance law, I often end up arguing that 
reports of privacy's death have been greatly exagerrated. For example, I 
wrote a law review article in 2002 describing the effect of the USA 
Patriot Act on Internet surveillance law as 'The Big Brother That 
Isn't.' (available at 
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=317501) Two weeks 
ago, however, the First Circuit decided a case called United States v. 
Councilman that poses a very real threat to Internet privacy.
There has been some press on the case already, but some writers and 
commentators have also suggested that the decision really isn't a big 
deal. Declan's take is representative of the no-big-deal school.  He 
writes that "the folks who are most upset about this haven't read the 
court's opinion carefully, and those that have are discounting the 
ability of state law and tort sanctions to keep people in line. There 
are other mechanisms than just federal wiretapping law that can enforce 
good behavior."  I disagree with Declan, and thought it might be worth 
explaining why the Councilman decision is so dangerous.
First, a bit of background. Federal law protect e-mail privacy through 
two primary laws: the Wiretap Act, codified at 18 U.S.C. 2510-22, and 
the Stored Communications Act, 18 U.S.C. 2701-11. The Wiretap Act offers 
very strong protection against the real-time interception of telephone 
or Internet communications. If any one tries to step in and snoop on the 
contents of another person's communications, they commit a federal 
felony offense unless one of several fairly narrow exceptions applies. 
If the government tries to do this, they need a super-search warrant 
called a Title III order. In contrast, the Stored Communications Act 
sets up lesser privacy protections for access to stored communications. 
First, the law is much narrower; it applies only to files held by 
particular providers, and has much broader exceptions. Second, the 
prohibition against snooping on stored files is much narrower and 
ordinarily a misdemeanor. Third, law enforcement access to stored files 
is normally !
 governed my a basic warrant requirement, rather than a super-search 
warrant requirement. Why the different treatment for stored and 
in-transit communications, you wonder? Well, there are a couple of 
reasons, but one important reason is that the Supreme Court suggested in 
Berger v. New York that in-transit interception requires special 
protections under the Fourth Amendment. (By the way, I discuss how the 
Wiretap Act applies to the Internet in the Big Brother article I linked 
to above. I also give a basic explanation of the Stored Communications 
Act in a forthcoming article you can download in draft form here: 
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860.)
The Councilman case addresses an ambiguity in the line between the 
Wiretap Act and the Stored Communications Act. The question is, when is 
a file stored, and when is it in transit? This is a big question because 
on the Net communications are often at rest for very brief periods of 
time in the course of transmission, and the statutory text doesn't make 
particularly clear whether access to a file that is at rest for a 
nanosecond is supposed to be covered by the Wiretap Act or the Stored 
Communications Act. Councilman involved an ISP employee who wrote and 
installed a computer program to scan incoming e-mail of the ISP's 
customers; ISP employees would then read the e-mails and try to use them 
for the commercial advantage of the ISP. In a nutshell, the First 
Circuit held (by a vote of 2-1) that because the program scanned the 
e-mails while they were at rest for a nanosecond, the e-mails were in 
storage at that time and access to them was covered by the Stored 
Communication Act, !
 not the Wiretap Act. Because Councilman had been indicted for 
violating the Wiretap Act, the Court affirmed the dismissal of 
Councilman's indictment.
Why is this decision a big deal? It's a big deal because the line 
between the Wiretap Act and the Stored Commmunications Act doesn't just 
regulate ISPs. It regulates everybody, including federal and state 
criminal investigators. The Justice Department and Congressional 
staffers have interpreted the Wiretap Act quite broadly and the Stored 
Communications Act quite narrowly, and based both existing practice and 
recent legislative amendments on that understanding. When I was at DOJ 
advising agents on this sort of thing, the informal yardstick was that 
when a law enforcement agent planned a series of accesses to a file or 
account, the repeated series of accesses triggered the Wiretap Act 
rather than the Stored Communications Act. So in a pre-Councilman world, 
an FBI agent couldn't make an end-run around the Wiretap Act by lining 
up a bunch of warrants and executing them once every ten minutes. This 
approach remained true to the Supreme Court's decision in Berger and 
also ensured!
  that the strong privacy protections of the Wiretap Act were not 
gutted by end-runs around the statute.
The Councilman approach largely nullifies the Wiretap Act online, by 
contrast, with rather remarkable implications. It is my understanding 
that when the FBI gets a Wiretap order to install a network wiretapping 
device such as Carnivore, they usually install the device at a 
nanosecond-storage point. Well, guess what, folks-- that's no longer 
regulated by the Wiretap Act. Under Councilman, DOJ can install 
Carnivore with at most only a search warrant. Even worse, the FBI 
doesn't need a search warrant at all if the owner of the computer where 
Carnivore is installed consents and that owner is a University or 
business other than an ISP. Because the exceptions to the Wiretap Act 
are narrow while the exceptions to the Stored Communications Act are 
much broader, the switch from protection via the former to via the 
latter is not only a switch to lesser protection, but in many cases a 
switch to no protection at all. For example, if the FBI wanted to 
install Carnivore at my university's!
  servers and the university was willing to let them do this, the FBI 
could monitor all of my incoming and outgoing e-mail (and all of the 
e-mail of everyone at the University, for that matter) in real-time 
without any legal process or oversight whatsoever. Do you remember the 
controversy over the "computer trespasser" exception to the Wiretap Act, 
which was one of the most controverial sections in the USA Patriot Act? 
Under Councilman, that kind of monitoring generally will not even 
implicate the Wiretap Act in the first place, so the monitoring is no 
longer limited by the specific statutory requirements of the trespasser 
exception. Bad stuff. Very bad.
There are rumors afoot that Congress may step in and fix this problem 
soon. Fortunately, the politics are a win-win: both DOJ and civil 
liberties groups want the prior understanding restored. There is even 
proposed statutory language floating about that would do the trick quite 
nicely. Let's hope that Congress acts sooner rather than later.
Orin S. Kerr
Associate Professor
George Washington University Law School
Washington, DC  20052
okerr at law.gwu.edu
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)