Digital Security For Journalists

The Legislative View of Privacy: ECPA & FISA

The Electronic Communications and Privacy Act (ECPA)

In the decades since the decisions in Miller and Katz, bank transactions and telephone digits have become only two of the many types of metadata generated by the digital communications systems used by the public on a regular basis. And while the Supreme Court’s rulings indicate that there is no constitutional right to privacy around this metadata, this in no way limits the ability of Congress to pass laws expanding individuals’ privacy rights around these records. This fact has led to several pieces of legislation doing just that, including The Right to Financial Privacy Act (12 U.S.C. §3401), Video Privacy Protection Act(18 U.S.C. §2710) and HIPAA (42 C.F.R. §403.812).

Some of the earliest, and still most relevant, legislation in this area is the Electronic Communications Privacy Act (ECPA) of 1986, which defines the classes of metadata that telephone and electronic service providers may be compelled to share with law enforcement. Though successful in enhancing privacy protections in the context of real-time telephone wiretapping, ECPA was written at a time before email was commonplace, and when electronic storage costs were high and local-only access was the norm. The result is that while it remains the primary piece of legislation that governs data collection and sharing requirements for electronic communications today, the application of its provisions to both wired and wireless mobile communications, as well as online services, seems to expose more than it protects.

Crucially, the Stored Communications Act (18 U.S.C. §2701-12) portion of ECPA, and, in particular, its “Required Disclosure Of Customer Communications or Records” provision (18 U.S.C. §2703), enumerates the data points that service providers must turn over to law enforcement when provided with a subpoena.

With the exception of 18 U.S.C. §2703(d), which requires some showing before a judge. Both are less stringent than the “probable cause” required to obtain a warrant.

As enumerated in section (c)(2), this information includes:

In the context of the technologies then prevalent, the metadata that ECPA makes available to law enforcement was not nearly as revealing of citizens’ day-to-day activities as it is currently. According to recent research, reviewing even the relatively broad locational data accessible via GPS can illustrate an individual’s movements and activities beyond what would be meaningfully feasible via physical surveillance. The “mosaic theory” concludes that “comprehensive aggregation of even seemingly innocuous data reveals greater insight than consideration of each piece of information in isolation.”15 Yet because we may “voluntarily share” our GPS location (and even more fine-grained cell-site) data by virtue of our service contract with a provider, this information is not considered private. A similar circumstance is created when we surf the Web, as our Internet protocol (IP) address is shared with virtually every website we visit.

For more detail, see the next chapter.

The implications of ECPA are not limited to metadata, however. Section (a) of the “Required Disclosure” clause discussed above provides that contents of “electronic communications” in electronic storage that are more than 180 days old may be obtained by law enforcement via an administrative subpoena. Although the act explicitly exempts from the definition of “electronic communications” the kind of oral, tone-based, GPS and financial data that in 1986 constituted most of the general public’s phone calls and wire transfers, it explicitly includes any “transfer of signs, signals, writing, images, sounds, data or intelligence”(18 U.S.C. §2510(12)): an almost perfect description of email. The result is that any email on a provider’s server that has been opened or is more than six months old may have its contents accessed via such a subpoena.

18 U.S.C. §2705(a) provides for a renewable delay of notification for a period of 90 days if notification may have an “adverse result.”

FISA & the PATRIOT Act–Ambiguity Abounds

Thus far, the policies we have discussed actually apply to anyone’s electronic communications, not only those of journalists. In fact, the only part of ECPA that makes journalist-relevant stipulations is the controversial “business records” section of the PATRIOT Act (215–now 50 U.S.C. §1861). Though section 1(a) of the law allows the FBI to “require production of any tangible things” as part of an investigation to obtain “foreign intelligence information,” this only applies “provided that such an investigation is not conducted solely upon activities protected by the First Amendment”[50 U.S.C. §1861(1)(a)]. Unfortunately, this latter characterization is described only in the guidelines of the Attorney General. Though these guidelines have been revised and their protections expanded16 since the AP phone records scandal in the spring of 2013, these guidelines do not carry the force of law; journalists and their organizations have no legal recourse if they are breached.

As Eve Burton points out: “The AP cannot march into court and sue the DOJ.”

Why Metadata Matters

“Although the law provides less protection for metadata than content, metadata can be even more revelatory than content itself.”
–Susan Landau17

While the target of the AP phone records collection situation is still uncertain, the implications of metadata collection for journalists are clearly illustrated in the cases of both James Rosen and James Risen, whose alleged sources were first identified by law enforcement based on the analysis of telephone, email, and other communications’ metadata. Coupled with the uncertain standing of reporters’ privilege (discussed below), these cases are particularly troubling as there are indications that they are the early threads of a trend, as suggested by a department of justice official:

“As a general matter, prosecutions of those who leaked classified information to reporters have been rare, due, in part, to the inherent challenges involved in identifying the person responsible for the illegal disclosure and in compiling the evidence necessary to prove it beyond a reasonable doubt.”18

What makes up metadata?

What’s Next

In recent months, conflicting conclusions about the constitutionality of metadata collection by the government have been evident in decisions issued by various circuit courts. Specifically, in ACLU v. Clapper (2014)19 the 2rd Circuit held that metadata is not private, and that under FISA following connections up to three links away from the target part is acceptable. In December of 2013, however, the opposite ruling was reached by the D.C. Circuit in the case of Klayman v. Obama. As of April, 2014, however, the Supreme Court refused to hear Klayman20 , meaning that it is likely to be some time before more clarity on these issues is gained.