Information Law and Policy Blog

Prepared by JinYoung Baik, Donna Leo, and Sarah Van Wart

• Storing Our Lives Online
• User’s Guide to the Stored Communications Act
• Gonzales v. Google, Inc.
• DOJ Brief
• Google Brief
• CDT Brief
• Shi Tao
• Skype Accused of Complying with Chinese Spying Program
• Supplemental Background Information

“Whenever I tell a layperson, or even a laywer unfamiliar with electronic privacy laws, that the protections for e-mail vary depending upon the duration and location of its storage and whether it has been opened, and that the statutory protections afforded their remotely stored private Web diary or calendar falls short of Fourth Amendment protections, they look at me with disbelief.” (Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications, p. 9)

Storing Our Lives Online: Expanded Email Storage Raises Complex Policy Issues

This article looks at the unintended consequences to a consumer’s privacy protection because of the advancement of computer technology and Internet services. The privacy laws were written when on-line remote storage of consumer’s information was not a common practice because it was expensive. Though many on-line service providers have strict privacy policies, they may be difficult for a consumer to find and understand. There are issues also about how the government can gain access to a consumer’s email accounts and other remotely stored information, and whether the subscriber will be notified of this request for information. Since many people are now using the Internet and remote storage of information it is seems a critical time to understand the current protections provide by the service providers, the law, and develop practices to address these changes.

The advancement of computer technology and Internet services provides a wide range of new services, including free email service, and large storage and searching of personal information. These services enable consumers’ flexible and mobile access to their information, but this raises concerns to privacy protection because the original legal framework for electronic communications did not account for these expansive changes, and the traditional constitutional search and seizure rule and limitations of statutory privacy protections were not developed with the idea that information would be moving from a person’s personal computer onto remote servers.

The changes in communication on the Internet has provided the ability to communicate, store and retrieve information which is very different from telephone communication because emails can be stored for future use, and service providers have access to a consumers stored emails. Starting in 2004, Google, Yahoo, and Hotmail began providing more storage for email subscribers. This change in storage capacity and use was not considered when email privacy laws were written, for at that time email was downloaded to a consumers computer, so the issues were not addressed for the storage of email on third party servers accessible via the web, as remote storage. Most consumers were unaware of the implications of storing their information on third party servers instead of their own computers. The current law at this time offered less privacy of a consumer’s communications and information in electronic storage with an ISP or other service providers than those same communications in ‘transit’ and less if they were stored consumers own computer, or in printed form.

Under the current government rules, access to person is protected under the Fourth Amendment, which “shields individuals from unreasonable search and seizures” (p.601). The court determines if a search violates the Fourth Amendment by asking does an individual’s conduct show an expectation of privacy, and does society recognize this as reasonable. Under these guidelines the Supreme Court has held that the Fourth Amendment protects what is in a person’s home or apartment, and his/her physical person, and the content of his/her telephone calls. The court never explicitly ruled on electronic mail (email), yet it has been assumed that the same protection would apply to email in transit, but in the 1970’s the Supreme Court held that the Fourth Amendment did not apply to personal information held by third parties. The court reasoned that if a person voluntarily disclosed information that they could not expect to have the same privacy considerations. This ‘business records doctrine’ was developed before the courts knew that service providers would store the content of communications.

In response to these changes, Congress adopted the Electronic Communications Privacy Act (ECPA) in 1986, which set rules that it would require a special warrant for access to the interception of real-time electronic communication in transit similar to what is required for wire tapping of voice communications. A subset of the ECPA communications rules, the Stored Communications Act (SCA) set guidelines for how the government could gain access to the content of stored emails, the transactional information such as who sent and received the email, and identifying information about the consumers of email services. Much has changed since the SCA was written and it is out of date with the current Internet environment.

The authors conducted a study of current industry practices to determine: when email is deleted for an inactive account, when email is deleted after a request from a consumer, what do relatives need to produce to get access to deceased family member’s email account, is notice given to a consumer when a civil subpoena has been issued to get their records, and is it clear to consumers whether their email is being read by their service provider. They determined that it is difficult to find and understand all the policies for these issues, and that the practices vary from provider to provider.

In analysis of the issue of consumer privacy protection of communications and information it seems evident that the technology of electronic communication and remote information storage has advanced faster then consumer understanding of the implications, and the laws which were written in response to these changes. The authors recommend it is essential to address the issues by increased consumer education, ISP disclosure of privacy policies, and the development of more comprehensive ECPA guidelines and other privacy protections.

Key Arguments / Issues

• What incentive is there for ISPs to fully disclose what their privacy policy is to their customers?
• What incentive is there for the government to develop more comprehensive guidelines for consumer privacy protections?
• If the ISPs and/or the government choose not to work towards better privacy protection for consumers, what can consumers do to protect themselves against privacy violations?

A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It

• Stored Communications Act (SCA) : as part of the ECPA
• Why the SCA exists?
  • The Fourth Amendment offers privacy protection in the physical world
  • But this protections may not apply to “virtual homes” in cyberspace; uncertainty over whether and when Internet users can retain a “reasonable expectation of privacy” in information sent to network providers; the government may subpoena the materials from the third party without a warrant based on probable cause; Since most ISPs are private actors, they can search through all of the stored files on their server and disclose them to the government under the private search doctrine : the Fourth Amendment inapplicable
  • SCA : to regulate the relationship between government investigators and service providers in possession of users’ private information
• Entities Regulated by the SCA
  • Two categories of service provider; “electronic communication service” = ECS (send or receive wire or electronic communications); “remote computing services” = RCS (the provision to the public of computer storage or processing services by means of an electronic communications system)
  • Two implications of SCA
    • SCA is not a catch-all statute : the home computer of an end user is not protected by the SCA
    • We need to distinguish between providers of ECS, providers of RCS, and providers that provide neither ECS nor RCS : the classifications of ECS and RCS are context sensitive
• Compelled Disclosure Rules in Section 2703
  • 180 days or less : to compel a provider of ECS, the government must obtain a search warrant
  • greater than 180 days or RCS : the government has three options
    • the government can obtain a search warrant
    • can use either subpoena or court order pursuant to 2703(d), combined with prior notice to the subscriber or customer
  • noncontent records (logs)
    • the government can obtain a 2703(d) order
    • search warrant / consent of the customer or subscriber / formal written request to the provider
  • basic subscriber information (name, address, etc) : the government can obtain with a mere subpoena
• Voluntary Disclosure Rules in Section 2702
  • imposes restrictions only on providers to the public
  • providers are free to disclose noncontent information to nongovernment entities
  • eight exceptional circumstances in which voluntary disclosure is allowed
    • content information
      • 1-4 : common sense exceptions
      • 5-8 : deal with specific circumstances in which an individual’s privacy rights give way to other competing interests
    • noncontent information: can be disclosed to nongovernment without restriction
• upside-down pyramid : allow greater process to include the lesser : the higher up the pyramid you go, the more information the government can obtain (eg. search warrant : compel everything stored in an account)

Key Arguments / Issues:

• In the government perspective, upside-down pyramid looks effective to compel information from providers. However, what about customers? Given that the government only needs an email less than 180 days in the temporary storage and obtains a search warrant, but they can still get more than 180 days information without any effort – it might occur some privacy problems. Does the SCA have to have more granularity of this upside-down process?
• Despite this complexity, is the SCA still workable in that can fill the gap between the Fourth Amendment and protection issue in cyberspace?
• What’s a more relevant metaphor for internet content — a “storage container” or a “business-doctrine-type” document?

Gonzales v. Google (Notion to Compel Compliance with Subpoena)

The Child Online Protection Act (COPA) was enacted in 1998 to protect minors from exposure to sexually explicit materials on the Internet by prohibiting US-based individuals and entities from knowingly making a communication “for commercial purposes that is available to any minor and that includes material that is harmful to minors.” “Material that is harmful to minors” is defined as material that is obscene or:

• That the average person, applying contemporary community standards, would find is designed to appeal to the prurient interest.
• Depicts, describes, or represents, in a manner patently offensive with respect to minors, an actual or simulated sexual act or
  sexual conduct, an actual or simulated normal or perverted sexual act, or a lewd exhibition of the genitals or post-pubescent female breast.
• And, taken as a whole, lacks serious literary, artistic, political, or scientific value for minors.

The ACLU claimed that COPA violated First Amendment rights, and filed suit against the attorney general. A series of court hearings took place on the matter:

• In 2000 (ACLU v. Ashcroft): Preliminary injunction granted against COPA.
• In 2003 (Ashcroft v. ACLU): Judgment vacated and remanded to the court of appeals for further consideration.
• 2004 (ACLU v. Ashcroft): Court affirmed the granting of the preliminary injunction.
• 2005 (Ashcroft v. ACLU): Court upheld the preliminary injunction but said that more evidence was needed to determine that filtering software was less effective than legislation. The Supreme Court requested that each side present evidence of their claim against / for COPA.

In an attempt to gather evidence to prove that legislation was the most effective avenue to protect children from exposure to obscene content, the government requested that various search engines provide a sample of (1) URLs crawled and (2) search terms queried using a “pre-trial discovery subpoena.” All search engines complied with the government’s request except for Google, which claimed that the request was irrelevant, redundant, would disclose customers’ identifying information, would reveal privileged trade secrets, and would place an undue burden on Google.

The government countered Google’s claims by saying that the URLs and search terms would help to characterize the types of websites being queried and the types of queries that were being submitted to search engines. This would in turn help to characterize the extent of obscene content and the effectiveness of filters. The government dismissed Google’s concerns that the search queries would reveal private information or privileged secrets, and said that the request was not burdensome and that the data request was straightforward. The Government ordered that Google comply with the subpoena.

DOJ brief p 20-25

Case No. 5:06-mc-800006-JW Reply Memorandum in Support of the Motion to Compel Compliance with Subpoena Duces Tecum
The Department of Justice decided to investigate whether COPA (Child Online Protection Act) satisfies the requirements of the First Amendment. To do this they chose to study the effectiveness of current filtering software for its effectiveness in preventing minors access to sexually explicit materials on the Internet. The DOJ requested information from various sources, including Google. The other sources complied to the initial request, and Google did not. This brief is the DOJ effort to show the courts that the reasons for Google’s non-compliance are not founded, and compels the Court to make Google give them the data.

A couple of the claims that the DOJ addresses in pages 15-20 are:

1. Google claimed that by giving the requested information they would risk the loss of users’ confidence. The DOJ argued that this is not true because the information they requested could not identify the users’ of their search engine. The DOJ further claimed that Google’s reference to their privacy policy and “personal information” disclosure does not make reference to other kinds of data, including aggregation of non-personal information. DOJ argues that Google’s disclosure of the information requested would not violate their privacy policy.
2. Google claimed that the subpoena for information violates the Electronic Communications Privacy Act (ECPA). The DOJ argued that Google lacks legal support of this claim. The DOJ goes through an extensive explanation of what types of network service providers are covered under the ECPA, both electronic communication services (ECS) and remote computing services (RCS). The DOJ argues that the Google search engine does not fall within either of these categories, and even if they could be considered a RCS, the Government’s subpoena for information does not violate the ECPA.

Key Arguments / Issues:

• Is it necessary to re-evaluate the network services provider categories, as defined by the ECPA in 1986, to expand protection for other online service providers ?
• Currently, does Google have any legal protection against requests for information from the government?
• Besides their stated objections, why might Google have resisted the government’s request for information?
  

Google Brief

1. The Production of the Requested Data will result in a chilling effect on Google’s Business and User Trust

• If Google produce the data to the Government, they will lose credibility among users, because search query content can disclose identities and personally identifiable information

2. Google Should not bear the burden of responding to potentially inadequate process based on ECPA

• As a provider of Electronic communication service (ECS) : cannot disclose the content of such communications absent strict government compliance with the procedures outlined in Section 2703 : mere subpoena is not enough
• As a provider of Remote computing service (RCS)
  • ECPA places similar restrictions on the disclosure of stored communications to the government by providers of remote computing services and makes no exception for anonymous or anonymized content
  • Content is off limits under ECPA except in rare cases when procedural safeguards are followed.

CDT (Center for Democracy & Technology) Brief:

In Support of Google’s Opposition to the Motion to Compel of Attorney General Gonzales
In response to the Gonzales v. Google case, the Center for Democracy & Technology (CDT) wrote a brief arguing that the Attorney General’s motion to compel should have been denied, and that COPA will likely not be effective in protecting children from obscene material.

First, CDT explains that (1) since Google is a “remote computing service” (RCS), and (2) search terms are the contents of a communication, the government must follow the procedures outlined in the ECPA to legally compel Google to surrender search terms by obtaining:

1. A criminal search warrant
2. An administrative subpoena
3. A grand jury subpoena
4. A trial subpoena
5. A court order issued under subdivision (d) of section 2703 (which is issued if the information being sought is relevant to an ongoing criminal investigation).

Google is a RCS in that it provides computer storage and processing of search queries, indexes, and URLs. Search terms are the transmitted contents of a communication because “signs,” “writing,” and “data” are electronically communicated to the Google search engine. Since the government merely held a “pre-trial discovery subpoena,” Google should not have been expected to comply with the government’s request.

Second, in addition to the failure of the government to follow the appropriate ECPA process, CDT also states that the government shouldn’t be granted one of the subpoenas / warrants listed above because the information it’s demanding from Google isn’t relevant to the COPA case. This is because Google provides search services and indexes URLs internationally, resulting in a non-representative sample of US-based websites. Since COPA only has jurisdiction over US-based websites, the fact that the government is seeking information from international websites will not lead to any valid conclusions regarding how minors in the US gain access to sexual content. CDT also cites a National Academy of Sciences report, which stated that:

“Federal legislation cannot readily govern Web sites outside the United States, even though they are accessible within the United States….even the strict enforcement of COPA will likely have only a marginal effect on the availability of such material on the Internet in the United States….even if the Supreme Court upholds COPA…this does not necessarily mean it is good public policy.”

Conclusion: The motion to compel of Attorney General Gonzales should be denied.

Key Arguments / Issues:

• Search terms are contents of a communication; Google is a “remote computing service.”
• Google is being asked to violate Federal Law by complying with the subpoena.
• Due to the global nature of the internet, the government’s data requests are irrelevant and would not convincingly argue in favor of COPA.
• CDT, the National Academy of Sciences, the ACLU, and other parties support filtering technology over COPA to more effectively shield minors from obscene content.

Shi Tao entry Wikipedia

In 2005, Shi Tao, a mainland Chinese journalist, writer and poet, was sentenced to 10 years in prison for providing a document from the Communist Party to an overseas website. Yahoo’s service in Hong Kong released the information, which connected Shi Tao to the Chinese government document, and gave the Chinese authorities information to locate the sender of the post. A controversy arose about Yahoo’s business practices of giving sender information to the Chinese government without asking what the information would be used for.

The Chinese authorities took possession of Shi Tao’s computer and documents without any type of warrant. Shi Tao’s attorney protested that the search and seizure, and arrest of his client were illegal, and was later put under house arrest. Also, the Chinese court held a secret hearing, which charged that Shi Tai had leaked state secrets, sentenced him to 10 years in prison, and have rejected his appeal of the decision without a hearing.

There was much international reaction to Yahoo’s business practices in this incident, and they were accused of being a “police informant.” Congress began an investigation about this and other similar incidents with representatives from many top Internet providers. Congress later criticized Yahoo for not disclosing full details of their activities during the previous investigation. Shi still remains in prison, and Yahoo later settled with Shi for an undisclosed amount of money.

Key Arguments / Issues

• What could Yahoo! have done differently?
• If Shi Tao better understood their privacy policies, might he have acted differently?
• If Yahoo! offers their services in other countries, are U.S. government consumer privacy protections available to their overseas subscribers?

Skype Accused of Complying with Chinese Spying Program

Skype is being accused of helping the China government spying on its citizens by capturing and storing “offensive” chat messages. At the beginning, Skype was distributed in China by local partner TOM, which has established procedures to meet local laws and regulations. Silverman said that uploading and storing chat messages with certain keywords were not TOM’s protocol and that they are inquiring to find out why the protocol changed. As to a security breach issue, Skype fixed it immediately with TOM, but currently addressing the wider issue of the uploading and storage of certain messages with TOM.

Key Arguments / Issues

• Skype seems to evade its responsibility. When the company wants to launch its service to other countries with local partner, how much level the original company should involve in terms of privacy regulation? Is it legitimate to pass its burden to joint venture company?
• Is there any requirement how to design system in order to cope with other countries’ regulation?

Supplemental Background Information

CNET: Supplemental Information about the Google Case

Reasonable Expectation of Privacy & Business Record Cases

Taken from Deirdre Mulligan’s “Reasonable Expectations in Electronic Communications” (p. 11): A backdrop to the ECPA

Katz v. United States (1967)

• Court held that the Fourth Amendment protects “people not places”
• “reasonable expectation of privacy” notion established, which expanded the scope of Fourth Amendment protections for privacy.

Couch v. United States
Court held that subpoenaing an accountant for tax return records provided by a client raised no Fourth Amendment concerns.

United States v. Miller
Court held that individuals have no legitimate expectation of privacy in the phone numbers they dial, and therefore the installation of a technical devices (a pen register) that captured such numbers on the phone company’s property did not constitute a search.