Free Novel Read

Habeas Data_Privacy vs. The Rise of Surveillance Tech Page 19


  During his appeal to the 4th US Circuit Court of Appeals, Levison’s attorneys cited a 2010 appellate decision from a case known as Warshak, a bizarre case involving a “nutraceutical” that purported to enhance penile erections. That case has now become the de facto standard nationwide, requiring that the content of an e-mail only be turned over with a warrant.

  In the early 2000s, late-night television across America was blanketed with television advertisements featuring a man who came to be known as “Smilin’ Bob.” Thanks to a male enhancement product known as Enzyte, Bob got a “big boost of confidence,” the narrator intoned, inviting customers to get a sample pack of the pills.

  When Berkeley Nutraceuticals, a company founded by Cincinnati entrepreneur Steven Warshak, began in 2001, it only had 15 employees. After a flood of advertising—including in Penthouse and Outside magazines, among other ads that boasted a “double your money back” guarantee—business was booming. By 2004, the company had grown to include a 24-hour call center and 1,500 employees—that year, it raked in $250 million in revenue. However, according to prosecutors, the entire operation was built not on the sale of these questionable pills, but rather, an auto-ship program. Customers who thought they were simply getting a sample pack were, in fact, signing up for a subscription of regular pills that was nearly impossible to shake.

  As complaints began to mount, Warshak and his colleagues were finally hit with Federal Trade Commission charges in February 2006 and a criminal indictment in September 2006 alleging numerous counts of fraud.

  Eventually, the criminal case moved towards trial, where the government planned to put on numerous witnesses, including former employees. They also obtained 27,000 of Warshak’s e-mails, including one written by his nephew, Jason Cossman.

  In that message, Cossman explored an idea that could help Berkeley Nutraceuticals make even more money: after dissatisfied customers canceled, sales representatives should simply call back, purporting to be conducting a health survey. If the customer told the rep that he used to take a Berkeley pill, then the rep would simply promote a less-expensive product “that the hospital is promoting”—neglecting to mention that this was also a Berkeley product.

  “The poor customer bites, thinking he’s gettin a deal, even though he’s actually getting taken by my company for the second time around!!!!!!” Cossman wrote. “The scheme is beautiful. dreamed it up after many a bong hit one night. these customers are fish in a barrel, man. you already spent the media dollars to get em in the barrel when you bought the enzyte spot. dont let em get away so easy. exploit the shit out of them.”

  Late one night in February 2005, Warshak sent this message to five other executives, appending to the subject line: “The student has become the teacher—our company was built on this kind of creative thinking…thanks for the wake-up call jason!”

  However, Warshak’s lawyers were stumped as to how government investigators managed to get their hands on so many e-mails, until they learned that his e-mail provider, NuVox Communications, had been sent a 2004 letter from government investigators, ordering them to keep all copies of his future messages under a provision of the SCA. Warshak didn’t find out about this until May 2006.

  In court proceedings, Warshak was primarily represented by Martin Weinberg, a veteran criminal defense lawyer based in Boston.

  Weinberg was a good choice in a Fourth Amendment case: he had successfully argued before the Supreme Court back in 1977 in United States v. Chadwick. That case involved two men who boarded an Amtrak train in San Diego with a “double-locked footlocker” and got off in Boston. Upon their arrival, they were met by federal agents, who insisted on seizing their case and taking it to a government facility to search it—without a warrant. In it, the agents found “large quantities” of marijuana and the men were accordingly charged.

  As the case progressed, courts consistently found in the men’s favor, citing precedent that warrantless searches are per se unreasonable. In a 7–2 decision, the Supreme Court found Weinberg’s arguments persuasive, and ruled in Chadwick’s favor, citing Katz.

  We do not agree that the Warrant Clause protects only dwellings and other specifically designated locales. As we have noted before, the Fourth Amendment “protects people, not places,” Katz v. United States, 389 U. S. 347, 389 U. S. 351(1967); more particularly, it protects people from unreasonable government intrusions into their legitimate expectations of privacy.

  If the officers wanted to search the footlocker, particularly when there was no urgent need to do so, they could have taken the time to seek a warrant. However, they chose not to. Upon learning of what investigators had done in pursuit of Warshak, Weinberg immediately thought of the Chadwick case.

  “We were alarmed to realize that no one had challenged a long-existing but not-well-known policy that the DOJ would use secret subpoenas and orders to gain access to people’s e-mails not through searches of people’s computers, but by going to the ISPs,” he said in an interview, years later. “This was deeply upsetting to anybody’s reasonable expectation of privacy.”

  When it was all said and done, in August 2008, Warshak was sentenced to 25 years in prison and was ordered to forfeit over $459 million to the government. He and his lawyers appealed, and argued that the government should not have been able to obtain his e-mails without a warrant. In his opening filing to the 6th Circuit, Weinberg also underscored that Berkeley Nutraceuticals was an “exceptional company,” adding that Warshak had “spent a fortune to self-correct any operational failures.”

  If the 6th Circuit agreed, Weinberg argued, Warshak’s conviction and sentence should be set aside due to the “exclusionary rule,” a procedural notion designed to punish the government for bad behavior.

  However, there is a counterpoint: the “good faith exception to the exclusionary rule,” which says that so long as the government did something in good faith, the evidence derived from that questionable behavior can stand.

  That’s exactly what the 6th Circuit ruled in December 2010, when citing the Kyllo case, that “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish.” (The appeals court also reduced Warshak’s sentence to 10 years—he was released early, in 2016.)

  However, Circuit Judge Damon Keith, whose privacy colors were shown way back in 1971 during the Keith case, popped up again in Warshak. Judge Keith took a skeptical view of the government’s behavior. In his concurrence, he wrote that while the end result should stay the same, the government had gone too far.

  Following NuVox’s policy, the provider would have destroyed Warshak’s old emails but for the government’s request that they maintain all current and prospective emails for almost a year without Warshak’s knowledge. In practice, the government used the statute as a means to monitor Warshak after the investigation started without his knowledge and without a warrant. Such a practice is no more than back-door wiretapping. I doubt that such actions, if contested directly in court, would withstand the muster of the Fourth Amendment.

  Judge Keith analogized e-mail to a telephone call—both allow two people to “communicate in private.” So, just as the government can’t wiretap someone without a significant showing, neither can the government turn e-mail into a wiretap of sorts. At least in Warshak, federal investigators did not heed the 2005 warning provided by the American Prosecutors Research Institute, that d-orders could not be used “prospectively”—in other words, to get e-mails ahead of time.

  * * *

  Even before the 6th Circuit published its Warshak ruling in December 2010, major companies in the tech industry and various political advocacy organizations partnered in what was called the Digital Due Process Initiative. Together, they began to lobby Congress to update the law. Their concerns aligned with Judge Keith’s opinion that “the government cannot use e-mail collection as a means to monitor citizens without a warrant anymore than they can tap a telephone line to monitor citizens without a warrant.�


  Within months, the House of Representatives convened a subcommittee hearing to discuss how the ECPA should be reformed in light of cloud computing and modern e-mail. In 2011, neither chamber of Congress was able to produce a bill that advanced very far. In November 2012, the Senate Judiciary Committee proposed an ECPA reform bill, but again the legislative process came to a halt.

  * * *

  The 6th Circuit decision in Warshak remains binding only in that particular federal judicial zone, which covers Michigan, Ohio, Kentucky, and Tennessee. Technically, courts in the other 12 appellate federal districts across the country are not obligated to follow their lead. When differing circuits reach opposite legal conclusions, this constitutes a circuit split, and makes it even more likely that the Supreme Court will take up a future case to resolve the difference.

  But rather than wait for courts in other parts of the country to reach what they considered to be a favorable result, a number of major firms, including Google, Facebook, Yahoo, and Microsoft began unilaterally imposing the Warshak standard shortly after the 6th Circuit ruling was handed down. However, Google’s decision was not widely known until January 2013.

  “In order to compel us to produce content in Gmail we require an ECPA search warrant,” Chris Gaither, a Google spokesperson, told Ars Technica at the time. “If they come for registration information, that’s one thing, but if they ask for content of e-mail, that’s another thing.”

  A few months later, in March 2013, at yet another House subcommittee hearing, a top DOJ official made a quiet, but notable announcement.

  “We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old,” Acting Assistant Attorney General Elana Tyrangiel said.

  Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened. Acknowledging that the so-called “180-day rule” and other distinctions in the SCA no longer make sense is an important first step. The harder question is how to update those outdated rules and the statute in light of new and changing technologies while maintaining protections for privacy and adequately providing for public safety and other law enforcement imperatives.

  This statement suggested that the government was no longer going to defend this portion of ECPA in court proceedings, and would simply seek a warrant, as most major providers would require them to do. It’s hard to know exactly why the DOJ decided to make that policy change when it did.

  “I assumed they just knew that line was indefensible, and that after three years of Warshak they realized a warrant requirement for content wasn’t the end of the world,” Orin Kerr, who testifed at the same hearing and is now a law professor at the University of Southern California, told me.

  The 46-year-old professor is one of the most frequently cited tech legal experts of the modern era. This jazz aficionado trained as a mechanical engineer and graduated from Harvard Law School in the early days of the commercial Internet. After graduation, he clerked for an appellate judge before working as a federal prosecutor for three years. Soon after, he became a law professor, churning out influential legal journal articles on a regular basis.

  Several months after he testified before the House subcommittee in March 2013, Kerr put forward what is likely one of the most well-thought-out ways to amend ECPA. He quickly identified one of the crucial problems between the way that computers were thought of in the 1980s when compared to the modern era.

  “The plummeting costs of storage have flipped the default understanding of how surveillance threatens privacy,” he wrote.

  ECPA was drafted at a time when electronic storage was expensive and therefore relatively rare. ECPA treated real-time wiretapping as the chief privacy threat. Access to stored communications was treated as a lesser concern. The opposite is true today. Storage has become remarkably cheap and therefore ubiquitous. Service providers now routinely store everything, and they can turn over everything to law enforcement. As a result of that technology change, access to stored records has become the greater privacy threat. The incredible growth of stored records makes ECPA’s structure exactly backwards for the operation of modern computer networks.

  Or, as he concluded: “The ability to store everything makes storage the greater privacy threat.”

  So, what is the appropriate remedy? Get a warrant.

  While ECPA reform was still languishing in Congress, California began earnestly taking Kerr’s advice to heart. In February 2015, a coalition of tech companies (Apple, Google, Facebook, among others) and organizations led by the American Civil Liberties Union (ACLU) of Northern California announced the California Electronic Communications Privacy Act (CalECPA).

  “Californians shouldn’t be forced to choose between using smartphones, email, social networks or any new technology and keeping their personal lives private,” Nicole Ozer, one of the ACLU of California’s top lawyers, said in a statement at the time. “Especially after revelations of warrantless mass surveillance by the NSA [National Security Agency], it is time for California to catch up with other states across the nation, including Texas and Maine, which have already updated their privacy laws for the modern digital world.”

  Ozer, an ACLU veteran, spearheaded this coalition.

  “I became focused in California where we were well-positioned to enact not just a piece but a really holistic response to what really needed to happen,” she said, noting that she postponed her own necessary back surgery to push forward with the legislation campaign. “When we drafted CalECPA, we…[wrote] the law in a way that makes sense for now—it’s a clean slate, we were going to go for it.”

  The law, which was signed by Governor Jerry Brown eight months later, was dubbed by Wired magazine the “nation’s best digital privacy law.”

  CalECPA goes further than any other similar law at the federal or state level. It forbids any law enforcement or other investigative entity from forcing a business to hand over not only e-mail content, but any metadata or digital communications of any kind whatsoever without a warrant. That means e-mails, texts, documents, chats, documents stored online, anything. Beyond that, the law also requires a warrant to track the physical location of any electronic device and to perform a search of those devices.

  * * *

  Faced with increased pressure from tech firms and privacy advocates, the House of Representatives moved again towards real ECPA reform. They passed the reforms unanimously in 2016, under the name Email Privacy Act. The bill did away with the 180-day rule and also provided mandatory disclosure of the target, unless the government has made a showing that such notification needs to be delayed.

  However, when it moved to the Senate, which happened in the wake of the “FBI v. Apple” case of March 2016, a few senators proposed amendments that ultimately torpedoed the bill. Among others, then senator Jeff Sessions (R-Alabama) filed one that would have required user data to be disclosed to law enforcement in the event of an emergency, while another amendment, pushed by the Obama White House, would have expanded the use of controversial NSLs.

  In 2017, the House again took up the bill, and again passed it unanimously. As of this writing in late 2017, the Senate has yet to take up a companion bill. President Donald Trump has not yet publicly indicated whether he would sign it, should it pass the Senate.

  One of the biggest problems with SCA orders is that they often come with a built-in gag order, with no end date. The only person who can lift that gag order is the same judge who issued it—barring extenuating circumstances, other judges will not do so. Again, unlike with a physical search, someone who has had their data handed over may never find out about it. And with such orders remaining sealed, journalists and activists can never find out that they even exist, let alone challenge their legitimacy in court.

  So, as part of a larger legal strategy that evolved in the wake of the Snowden revelations in 2013, Microsoft announced that it would be “committed to notifyi
ng business and government customers if we receive legal orders related to their data.” In 2016, the company took this notion one step further, and sued the DOJ, asking a court to allow it to speak to customers who were affected by data handovers, citing the company’s First Amendment right to freedom of speech and its Fourth Amendment right to protect against unreasonable searches and seizures.

  Specifically, it wanted the federal court in Seattle to declare unconstitutional the specific portion of federal law that deals with delayed notice, known as 18 USC 2705(b).

  “We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records,” wrote Brad Smith, Microsoft’s top lawyer, in a public blog post in April 2016. “Yet it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.”

  Smith further explained that between October 2014 and April 2016, the DOJ

  has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data. Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.

  For its part, the government asked the judge to dismiss the entire case, largely on the grounds that Microsoft lacked standing—it could not prove that it was harmed by the fact that it could not discuss the SCA orders with its customers. In February 2017, the judge dropped the Fourth Amendment question, but allowed the First Amendment claim to stand. However, in October 2017, the DOJ changed its policy, allowing companies to notify customers of such a data handover in most cases; Microsoft dropped the case.