40 comments

[ 0.26 ms ] story [ 101 ms ] thread
Petraeus signed all kinds of paperwork that said it was okay for the government to go digging around in his personal life, including email. This is really a non-story.
Sounds like you missed the point of the article:

Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor - not a judge - to obtain electronic messages that are six months old or older.

Has nothing to do with what Patraeus signed.

The article speaks generally about when the FBI can access email. It doesn't have a source which says exactly which approach was used in this case. They may have used any of the methods mentioned -- prosecutor subpoena, judge, or even Petraeus' prior or current written authorization -- depending on the exact timing of when its contents were examined.
Exactly. Has nothing to do with this.
As they looked further, the FBI agents came across a private Gmail account that used an alias name. On further investigation, the account turned out to be Petraeus's.

The FBI broke into the gmail account (or at least subpoenaed identifying information from google) before they knew whose it was. So no, it's not a non-story.

That "on further investigation" could mean many things other than your presumptive interpretation that they accessed the account before they knew it was associated with Petraeus.

For example, they could have suspected it was his, and then asked him for confirmation and access. At that point, he would have had to yield, due to his role, his prior agreements, and the situation (including the inevitability of access).

Does Google actually require subpoenas?
Yes, and Google fights them, and often wins.
The most disturbing bit from the article:

"Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor - not a judge - to obtain electronic messages that are six months old or older."

You beat me to the punch. That act is 26 years old, and I've never before heard about his little provision in all my reading of discussions on email privacy.

Time and time again, I think, "I should bite the bullet and register a domain name for 10 years to host my own email on, encrypting everything that makes it past the spam blocker."

I know, I know. I'm not that interesting a person, especially to the federal government. But it's the principle of the matter, you know?

I bought my first firearm 15 years ago solely because it was a right I considered as important as voting and free speech, and I wanted to exercise that right. (Yes, I know this is mostly an American sentiment.)

How would that stop you from being required to comply with a subpoena to supply old email from sageraven.com (hypothetical)?
Presumably the Fifth Amendment, which still protects one from disclosing their password unless the prosecutors have a witness who has seen illegal material on your device.
I imagine that it's easier to fight a subpoena directed at you than it is to fight one directed at Google (for example).
You may be surprised. Google has more legal resources, and less fear off illegal imprisonment. The government had wide latitude for breaking its own laws against individuals.
1. Not all 3rd parties will have Google's level of resources.

2. Not all 3rd parties are going to care enough to do anything other than just roll over and do what that government asks of them.

3. Not all 3rd parties are Google, nor should they be. (as in Google shouldn't be 'the web')

It puts me in control of the situation. As it is, an over-zealous prosecutor can get my ISP to comply. For personal systems, I assume that it would require an outright lawsuit/prosecution to force my hand to do anything. With competent representation, I assume it would need to be serious business and not a fishing expedition for them to get my email (should I comply at all).

And remember, passwords for crypto are still pretty much untested in (US) court. So far as I know, I currently cannot be forced to provide decryption passwords/keys for a court. Contempt might still be an issue, but that's another problem entirely.

>I bought my first firearm 15 years ago solely because it was a right I considered as important as voting and free speech, and I wanted to exercise that right. (Yes, I know this is mostly an American sentiment.)

The idea behind that right had to do with the ability of the people to overthrow an oppressive government, not with the ability to have guns per se, e.g as a gun collector or to protect your house from burglars.

And, as we know, the utility of guns against an oppresive government today is zero.

It's only disturbing because people think of e-mail as equivalent to the letters in their desk rather than what it is: putting private information into the hands of private third parties in cleartext. The ECPA actually gives you an extra layer of protection--requiring a warrant for messages less than six months old. Under the principles of the 4th amendment, you wouldn't even have this much protection. In general, you have no privacy interest in information you entrust to third parties. If your ISP turns over your e-mail just because the FBI asked nicely, without the ECPA that'd just be between you and your ISP.

I don't know why this surprises anyone. Prosecutors have broad powers to subpoena information in the hands of third parties. 4th amendment doesn't even apply.

That's only if you accept the current "third party doctrine" interpretation of the limits of the fourth amendment. There is nothing in the amendment itself to limit its protections in the way that they have been, and, in fact, these limits have not been enforced uniformly.

For instance, even though you make (or made) telephone calls in the clear over a third party network, the government cannot tap your phone calls without a warrant (and, in fact, protections were even expanded to tapping of public pay phones to target specific people in Katz v. United States).

The third party doctrine must be dropped by the courts or protections for things like email need to be made explicit by congress. However, the current interpretations favored by courts are not inherent to the fourth amendment.

Timothy B Lee does a great job blogging about this stuff on Ars Technica and elsewhere. Here's a good starting point if anyone wants one: http://www.techdirt.com/articles/20080530/2014171272.shtml

In the legal sense, the third party doctrine is as inherent to the 4th amendment as anything can be--it's the Supreme Court's binding interpretation of the contours of the phrase "reasonable expectation of privacy."

In the practical sense, I strain to see how someone can have a reasonable expectation of privacy in say their e-mail when Google, Yahoo, Microsoft, etc, data-mine those communications in order to show targeted advertisements...

I certainly don't ever expect a data mining system to gossip.

Treating networked automatic systems like personal notebooks really isn't so terribly strained, there is no reason to expect a person is ever reviewing the data passed to them.

> In the legal sense, the third party doctrine is as inherent to the 4th amendment as anything can be--it's the Supreme Court's binding interpretation of the contours of the phrase "reasonable expectation of privacy."

Not really, because it has only been applied (and kept from application) piecemeal. Warrants required for wiretaps is one good example of where the Supreme Court has said the third party doctrine does not hold. The 6th circuit has actually ruled that email (even if older than six months) is protected by the 4th amendment. That's why many are hoping the supreme court will take up the case, or congress will amend the Stored Communications Act to clear up the inconsistencies.

6th Circuit:

Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.... [T]he police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call--unless they get a warrant, that is. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement.

https://www.eff.org/deeplinks/2010/12/breaking-news-eff-vict...

> In the practical sense, I strain to see how someone can have a reasonable expectation of privacy in say their e-mail when Google, Yahoo, Microsoft, etc, data-mine those communications in order to show targeted advertisements...

We're talking the government here, not companies. You can agree to all sorts of things that the government can't compel you to do. I'm not sure how this is relevant.

So by that argument are you okay with them using speech recognition to voice calls and applying the same standard so phone calls?

Basically the only thing that makes phone calls special is the tech to easily store and search old conversations didn't exist. Now a days the phone company (or Skype etc..) could keep a digital record of all conversations if they wanted to.

Which way do you think it should it go? Should email be added to "reasonable expectation of privacy" or should voice calls remove that expectation?

>In the legal sense, the third party doctrine is as inherent to the 4th amendment as anything can be--it's the Supreme Court's binding interpretation of the contours of the phrase "reasonable expectation of privacy."

Or, to put it better:

>the Supreme Court's binding interpretation of the contours of the phrase "reasonable expectation of privacy", in which the Supreme Court bended over to big goverment and took the most BS route of interpretation it could.

Regarding your practical sense argument:

I don't see how its strange at all to have an expectation of privacy even if they data mine it -- seems like just a term in a contract to me. For example, if you hire me to protect your valuable manuscripts in my more-secure safe, but grant me in this agreement the exclusive privilege to read these documents with an NDA attached -- would it then obviously follow that I deserve no privacy for those documents AT ALL because I handed them to a third party? Of course not. Many people know and find acceptable that Amazon uses data about your purchases to build suggestions for others -- those same people would consider it completely different to go around telling others what you purchased (government or otherwise). I'm sure even you agree that the expectation that GMail not publish all your emails in a blog post is reasonable -- so the belief in needing a warrant to see them isn't that much of a stretch.

My point is not that this is the current legal interpretation -- I understand its not. I'm simply pointing out that it is perfectly logically consistent from the user's viewpoint to expect this. Furthermore, it seems like if I were to go out of my way in our contract to specify the privacy of your email the government would still think its fine to read it.

Right, but that's a contractual expectation between you and say Google. It's not a general expectation that something will remain private. E.g. I expect my shrink not to tell people stuff, but I don't have a 4th amendment claim of he tells the police that I said I'd kill someone.
That is a controversial opinion, infortunately held by many in government (people whose unreasonable claims are the very matter the Constitution is designed to protect against) and repeating it is tantamount to propaganda, as it pushes people to change their expectations of privacy, which would then be abused by the Executive branch of government. Please stop paraphrasing abuses as though they are acceptable.
It's not really a controversial opinion, it's a fairly straightforward application of 4th amendment principles. There is nothing propagandist or unreasonable about pointing out that the 4th amendment has never protected information freely handed over to private third parties.

The Constitution doesn't always protect everything we think should be protected. The language of the 4th amendment clearly refers to the privacy rights of a person in his person and his personality. Extrapolating from there to documents he sends in cleartext through potentially numerous intermediaries is quite a stretch. Despite the fiction, e-mail isn't, at the protocol level, appreciably more private than leaving little notes to people tucked under park benches.

http://en.m.wikipedia.org/wiki/United_States_v._Warshak

I certainly don't expect my mail carrier to hold my envelopes up to a lightbulb to decode the contents of my letters. Nor do I expect Delta to copy and distribute the documents in my briefcase when I put it in the cargo hold.

The fourth amendment protects my papers and effects, not only when they are on my person.

That case is precedent only in the 6th circuit. It is not the law in the rest of the country.

As for your mail carrier: that's different, the postal service is affiliated with the government. Also, while you may not expect Delta to copy and distribute your documents when you put them in the cargo hold, that has nothing to do with the 4th amendment. The Bill of Rights is only a restraint on federal and state governments, not on private parties.

Agreed. Other things that would probably drive people bannans is that a wiretap warrant is not needed to "tap" cell phone calls. The FBI can get access to cell call and logs much easier that a standard wiretap.
Thing is...do I really think that in using Google they won't read my mail?
You should, as Google has perhaps the best privacy record in the Internet industry among remotely similar organizations.
> You should, as Google has perhaps the best privacy record in the Internet industry among remotely similar organizations.

This means very little when Google still has to comply with subpoenas. They don't really have much of a choice, pressed up against the law.

To the average person, that is a very reasonable expectation.
When you join the CIA you sign a piece of paper that says "You have the right to access all of my personal accounts of any kind."

Having gone through the process of accepting a job offer from the CIA (which I later declined due to the 2 year background check and a more fun job in the Bay Area) I can say this is an oversimplification. If you work for the CIA you explicitly agree to allow them to comb through any of your personal accounts at any time.

Is everyone missing the fact the investigator who started this was corrupt?

As an FBI agent he had full email access, as easy as could be.

Gmail has a backdoor and it's what countries like China use for an attack point.

So the head of the CIA can't think of a better way to securely communicate with his lover than draft emails. He's the head of the nation's spy agency and he's a terrible spy. Good riddance.
Come now, the President of the United States is head of the nation's military. He has no training as a soldier. Do you see where I'm going with this?