No Warrant, No Problem: How the Government Can Get Your Digital Data
Update, Jan. 8, 2014: This post has been updated. It was originally published on Dec. 4, 2012.
The government isn't allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena that doesn’t require showing probable cause of a crime. And recent revelations about classified National Security Agency surveillance programs show that the government is regularly sweeping up data on Americans’ telephone calls and has the capability to access emails, files, online chats and other data — all under secret oversight by a special federal court.
The breadth of and justification for the surveillance are the subjects of ongoing debate in Washington. President Obama and others have defended the programs as necessary to identify terrorists and stop attacks before they happen, but privacy advocates and several U.S. lawmakers have questioned them.
Here's a look at what the government can get from you and the legal framework behind its power:
Who You Called, When You Called
Listening to your phone calls without a judge's warrant is illegal if you're a U.S. citizen. But police don't need a warrant — which requires showing "probable cause" of a crime — to get just the numbers for incoming and outgoing calls from phone carriers. Instead, police can get courts to sign off on a subpoena, which only requires that the data they're after is relevant to an investigation — a lesser standard of evidence. The FBI can also request a secret court order for phone records related to an international terrorism or spying investigation without showing probable cause. One such order obtained by the Guardian newspaper shows that the FBI requested all phone records over a three-month period last year from Verizon Business Network Services. Director of National Intelligence James R. Clapper said in a statement that such orders are renewed by the court every 90 days. And similar orders reportedly exist for other phone companies, including AT&T, Sprint and Bell South. The phone records being collected are for what’s called “metadata” — time, duration, numbers called — but not the content of calls, which President Obama, in defending the surveillance, said would require a judge’s consent.
Police can get phone records without a warrant thanks to a 1979 Supreme Court ruling, Smith v. Maryland, which found that the Constitution's Fourth Amendment protection against unreasonable search and seizure doesn't apply to a list of phone numbers. The New York Times reported in 2012 that New York's police department "has quietly amassed a trove" of call records by routinely issuing subpoenas for them from phones that had been reported stolen. According to the Times, the records "could conceivably be used for any investigative purpose." The Foreign Intelligence Surveillance Act, which Congress expanded in 2001 when it passed the Patriot Act, also allows the FBI to apply for a FISA court order to get “any tangible things (including books, records, papers, documents, and other items).” The FISA court ruled on May 24, 2006, that this provision applied to a phone company’s entire call database, according to The Washington Post. (The phone companies had previously handed over the data voluntarily, the Post reported, but grew nervous after The New York Times published a story on the Bush administration’s warrantless wiretapping program in 2005.) The court order for Verizon obtained by the Guardian — which covers all records from April 25 to July 19, 2013 — is much more expansive than a typical warrant or subpoena, said HanniFakhoury, a staff attorney with the Electronic Frontier Foundation. It covers “telephone metadata … for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.” In a statement, Clapper’s office said the government can’t query the metadata it has collected unless there is a “reasonable suspicion” it is associated with a specific foreign terror group. That happened fewer than 300 times in 2012, the statement said, adding that the data is destroyed after five years. Judge Richard J. Leon of the Federal District Court for the District of Columbia ruled last month that the NSA’s bulk collection of phone records likely violates the Constitution. But a second federal judge, William H. Pauley III, ruled that the collection was legal less than two weeks later, citing Smith v. Maryland in his opinion.
Your Phone Is a Tracker
Many cell phone carriers provide authorities with a phone's location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smartphones. In response to a recent inquiry by Sen. Edward J. Markey, a Massachusetts Democrat, Sprint reported that it provided location data to law enforcement 67,000 times in 2012. AT&T reported receiving 77,800 requests for location data in 2012. (AT&T also said that it charges $100 to start tracking a phone and $25 a day to keep tracking it.) Other carriers, including T-Mobile, U.S. Cellular and Verizon, didn’t specify the number of location data requests they had received or the number of times they’ve provided it. Internet service providers can also provide location data that tracks users via their computer's IP address — a unique number assigned to each computer. Clapper has repeatedly said the NSA does not collect location data from cell carriers under Section 215 of the Patriot Act (which is how it vacuums up other phone “metadata”). But the NSA does gather location data on hundreds of millions of phones overseas, according to The Washington Post, including from Americans abroad.
Many courts have ruled that police don't need a warrant from a judge to get cell phone location data. They only have to show that, under the federal Electronic Communications Privacy Act (EPCA), the data contains "specific and articulable facts" related to an investigation — again, a lesser standard than probable cause. Last year, Maine became the second state, after Montana, to require police to obtain a warrant for location data; Gov. Jerry Brown of California, a Democrat, vetoed a similar measure in 2012. Sens. Patrick Leahy, a Vermont Democrat, and Mike Lee, a Utah Republican, introduced a bill last year that would have updated the ECPA but wouldn’t have changed how location data is treated. Rep. Zoe Lofgren, a California Democrat, introduced a separate billin the House that would require a warrant for location data as well as emails. Neither bill has passed. The New Jersey Supreme Court ruled last July that police needed a warrant for location data. But the United States Court of Appeals for the Fifth Circuit in New Orleans ruled weeks later that the authorities could get historical location data from cell carriers without a warrant. Two similar cases, U.S. v. Davis and U.S. v. Graham, are scheduled for oral argument before federal appeals courts in the coming months. The Supreme Court has not yet ruled on location data.
What Computers You Used
Google, Yahoo, Microsoft and other webmail providers accumulate massive amounts of data about our digital wanderings. A warrant is needed for access to some emails (see below), but not for the IP addresses of the computers used to log into your mail account or surf the Web. According to the American Civil Liberties Union, those records are kept for at least a year. The NSA also runs a program called Marina designed to sweep up Internet “metadata,” or “digital network information,” according to The Washington Post. Whether or not that includes IP addresses is unclear.
Police can thank U.S. v. Forrester, a case involving two men trying to set up a drug lab in California, for the ease of access. In the 2007 case, the government successfully argued that tracking IP addresses was no different than installing a device to track every telephone number dialed by a given phone (which is legal). Police only need a court to sign off on a subpoena certifying that the data they're after is relevant to an investigation — the same standard as for cell phone records. FISA also allows the FBI to apply for a secret court order to get “any tangible things (including books, records, papers, documents, and other items)” relevant to an international terrorism or spying investigation.
Messages You Sent Months Ago
There's a double standard when it comes to email, one of the most requested types of data. A warrant generally is needed to get recent emails, but law enforcement can obtain older ones with only a subpoena. Google says it received 16,407 requests for data — including emails sent through its Gmail service — from U.S. law enforcement in 2012, and an additional 10,918 requests in the first half of 2013. Microsoft, with its Outlook and Hotmail email services, says it received 11,073 requests from U.S. law enforcement agencies in 2012, and an additional 7,014 in the first half of 2013. The company provided some customer data in 75.8 percent of the 2013 requests. (The figures don’t include requests for data from Skype, which Microsoft owns.) And Yahoo says it received 12,444 such requests in the first half of 2013, providing at least some customer data in 91.6 percent of them. Google said last year that it would lobby in favor of greater protections for email. The NSA also obtains emails from companies such as Microsoft, Google, Yahoo and AOL under a program called Prism, as revealed by The Washington Postand the Guardian. Clapper has said the program does not target U.S. citizens or anyone in the country. The Post reported in October that the agency has tapped the private fiber-optic cables that connect Google and Yahoo data centers overseas to collect email metadata en masse, as well as other files. In a single 30-day period, the NSA processed 181,280,466 new records, including email metadata.
This is another area where the ECPA comes into play. The law gives greater protection to recent messages than to older ones, based on a 180-day cutoff. Only a subpoena is required for emails older than that; otherwise, a warrant is necessary. This extends to authorities beyond the FBI and the police. I.R.S. documents released by the American Civil Liberties Union suggest that the I.R.S.’ Criminal Tax Division reads emails without obtaining a warrant. The ECPA update bills introduced by Leahy and Lee in the Senate and Lofgren in the House would require a warrant for the authorities to get all emails regardless of age. The Justice Department, which had objected to such a change, said last March that it doesn’t any longer. Clapper has said the Prism program is legal under Section 702 of the FISA Amendments Act of 2008, which lays out how intelligence agencies may spy on non-U.S. citizens abroad. Under “limitations,” the section says the surveillance “may not intentionally target a United States person reasonably believed to be located outside the United States” and “shall be conducted in a manner consistent” with the Fourth Amendment’s protections against unreasonable search and seizure. The NSA’s tapping of fiber-optic cables between Google and Yahoo data centers — which would be illegal inside the U.S. — is allowed overseas doesn’t seem to intentionally target U.S. citizens or permanent residents.
Drafts Are Different
Communicating through draft emails, à la David Petraeus and Paula Broadwell, seems sneaky. But drafts are actually easier for investigators to get than recently sent emails because the law treats them differently.
The ECPA distinguishes between communications — emails, texts, etc. — and stored electronic data. Draft emails fall into the latter, which get less protection under the law. Authorities need only a subpoena for them. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would change that by requiring a warrant to obtain email drafts.
As With Emails, So With Texts
Investigators need only a subpoena, not a warrant, to get text messages more than 180 days old from a cell provider — the same standard as emails. Many carriers charge authorities a fee to provide texts and other information. For texts, Sprint charges $30, for example, while Verizon charges $50.
The ECPA also applies to text messages, according to the EFF’s Fakhoury, which is why the rules are similar to those governing emails. But the ECPA doesn't apply when it comes to actually reading texts on someone's phone rather than getting them from a carrier. State courts have split on that issue. Ohio's Supreme Court has ruled that police need a warrant to view the contents of cell phones of people who've been arrested, including texts. But the California Supreme Court has said no warrant is needed. The U.S. Supreme Court in 2010 declined to clear up the matter.
Documents, Photos, and Other Stuff Stored Online
Authorities typically need only a subpoena to get data from Google Drive, Dropbox, SkyDrive and other services that allow users to store data on their servers, or "in the cloud," as it's known. The NSA is gathering “stored data” from companies like Google, according to an NSA PowerPoint briefing obtained by The Washington Post and the Guardian. Clapper has said only non-U.S. citizens abroad are targeted. The agency has also tapped the fiber-optic cables linking Google and Yahoo data centers overseas. Both companies offer cloud-storage services.
The law treats cloud data the same as draft emails — authorities don't need a warrant to get it. But files that you've shared with others — say, a collaboration using Google Docs — might require a warrant under the ECPA if it's considered "communication" rather than stored data. "That's a very hard rule to apply," says Greg Nojeim, a senior counsel with the Center for Democracy & Technology. "It actually makes no sense for the way we communicate today." If cloud data is covered by FISA — which seems likely, as the law specifically states that “documents” are included — it would let the FBI request a secret court order for data deemed relevant to international terrorism or spying investigations.
The New Privacy Frontier
When it comes to sites like Facebook, Twitter and LinkedIn, the social networks' privacy policies dictate how cooperative they are in handing over users' data. Facebook says it requires a warrant from a judge to disclose a user's "messages, photos, videos, wall posts, and location information." But it will supply basic information, such as a user's email address or the IP addresses of the computers from which someone recently accessed an account, under a subpoena. Twitter has reported that it received 1,494 requests for user information from U.S. authorities in 2012, and an additional 902 in the first half of 2013. The company says it received 56 percent of the 2013 requests through subpoenas, 11 percent through other court others, 23 percent through search warrants and 10 percent through other means. Twitter says that "non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process." The NSA is also gathering data from social media from companies such as Facebook, YouTube and Paltalk as part of its Prism program, according to the NSA PowerPoint briefing. Clapper has said only non-U.S. citizens abroad are targeted.
Courts haven't issued a definitive ruling on social media. In 2012, a Manhattan Criminal Court judge upheld a prosecutor's subpoena for information from Twitter about an Occupy Wall Street protester arrested on the Brooklyn Bridge. It was the first time a judge had allowed prosecutors to use a subpoena to get information from Twitter rather than forcing them to get a warrant.
For a rundown of what we know — and what we still don't — about surveillance, read "The NSA Black Hole: 5 Basic Things We Don't Know About Government Snooping. Have more questions? Follow @NSAQuestions for updates, and let us know what questions YOU have by tweeting us with #NSAquestions.