Sixth Circuit Dodges Constitutional Question on Email Privacy; Warshak Case Dismissed on Procedural Grounds

Today, the full panel of Sixth Circuit judges dismissed [opinion] on procedural grounds the case of Warshak v. US, a lawsuit challenging the constitutionality of no-notice, warrantless searches of email stored by an email provider. A three-judge panel of Sixth Circuit judges had previously held [PDF], based in part on briefing by EFF [PDF], that the federal statute that authorized such searches of remote email accounts — the Stored Communications Act — violated the Fourth Amendment on its face.

It's a shame that the court refused to reach the critical question at the center of the Warshak case: does the Fourth Amendment require the government to obtain a search warrant based on probable cause before secretly rifling through your Yahoo! mail or Gmail accounts? Without clear legal rulings on such issues, we face continued uncertainty about how the Constitution protects our private Internet communications, uncertainty that the government will continue to exploit.

The Sixth Circuit en banc panel held that because Warshak could not demonstrate that the government was likely to conduct further no-notice warrantless searches of his email — the government had twice previously done so — the issue was not "ripe" for a judicial decision. EFF shares the sentiments of Circuit Judge Boyce F. Martin, Jr., who authored the original decision finding the SCA unconstitutional as well as the dissent in today's decision:

While I am saddened, I am not surprised by today’s ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country.... History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment’s right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government’s investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen’s private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.

The decision is disappointing, but does not reject the underlying constitutional ruling on the merits. The original reasoning remains sounds, and this decision only reinforces the importance of our mission to obtain a clear ruling from the courts that your emails, IMs, text messages and web browsing receive the same Fourth Amendment protection as your private snail mail and telephone calls. Help EFF fight for an enduring and robust Fourth Amendment by joining now.

[Permalink]

Surveilling Drivers For Safety, For The Environment, and For Profit

There is a growing movement to surveil the drivers of cars — for insurance purposes.

One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.

Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.

The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.

One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.

Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.

The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.

If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.

If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.

[Permalink]

EFF Releases Updated White Paper on Best Practices for Online Service Providers

Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

1. Develop procedures for dealing with legal information requests and providing notice to users.
2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
3. Collect the minimum amount of information necessary to provide OSP services.
4. Store information for the minimum time necessary for operations.
5. Effectively obfuscate, aggregate and delete unneeded user information.
6. Maintain written policies addressing data collection and retention.
7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
9. Follow best-practice principles for the use of cookies on your site.
10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.

[Permalink]

New Ninth Circuit Case Protects Text Message Privacy From Police and Employers

Today’s Ninth Circuit Court of Appeals opinion in Quon v. Arch Wireless is a victory for the privacy of email and text messages. The holding means that law enforcement needs a probable cause warrant to access stored copies of your electronic messages less than 180 days old, regardless of whether you have already downloaded or read them. It also stops employers from getting the contents of employee emails or text messages from the service provider without employee consent.

In Quon, the City of Ontario Police Department provided its officers with two-way alphanumeric pagers. The officers were informed that it was a violation of City policy to use the pagers for personal matters. The City reserved the right to audit the messages. Employees were also informed that if they exceeded the monthly character limit set by the provider, that they would be responsible for paying the resulting additional charges. Officer Quon used his pager to send both business and personal messages, including messages to the other plaintiffs. He went over his monthly limit. Despite the formal usage policy, Quon was told that the informal policy and practice was that if he paid the overage fees, his messages would not be audited. Quon paid those fees several months in a row. At some point, the Department decided that it wanted to audit officers’ messages. It asked the text provider, defendant Arch Wireless, to deliver the contents of officers’ text messages to it. Because the City was the subscriber on the account, Arch printed out copies of the messages and delivered them to the City. Quon’s personal messages with the other plaintiffs were included in the printouts. Quon and his correspondents sued Arch for violating the Stored Communications Act and the City for violating the Fourth Amendment.

The Ninth Circuit held that Arch violated the SCA when it disclosed the contents of the text messages to the subscriber, the City, without the permission of the users. At issue was whether Arch was an Electronic Communications Service (ECS) holding the messages in “electronic storage”, or a Remote Computing Service (RCS), storing the messages on behalf of the subscriber. Messages held by an ECS receive a lot of privacy protection. An ECS is prohibited from disclosing the contents of communications without either a probable cause warrant obtained by law enforcement or consent from the “addressee or intended recipient”. Messages held by an RCS receive less privacy protection. An RCS is prohibited from disclosing the contents of communications without the consent of the subscriber. Law enforcement does not need a warrant to get messages from an RCS. It can use a mere subpoena or “specific and articulable facts” court order to get message contents from an RCS.

Arch regularly archived messages sent to and from its pagers. If Arch was an ECS holding those messages in “electronic storage”, then it was prohibited from disclosing the messages without consent from Quon, the addressee. If Arch was an RCS, then it may disclose the messages with consent from the subscriber, in this case the City, which they did.

In the past, the Department of Justice and others have argued that once a recipient accesses his messages, whether they be email or texts, the message is no longer in “electronic storage” as the SCA defines it. The message loses the higher protection granted to communications held by an ECS. The Ninth Circuit rejects this view in Quon. It looks to its ruling in Theofel v. Farey-Jones, which held that e-mails stored on an email providers servers for backup protection after delivery to the recipient— were in “electronic storage” under the statute and received ECS protection. In Theofel, the Court stated that “[w]here the underlying message has expired in the normal course, any copy is no longer performing any backup function. An ISP that kept permanent copies of temporary messages could not fairly be described as ‘backing up’ those messages.” We have wondered how to apply the “expired in the normal course” language, and this opinion makes it clear. If the archived message was created as a backup copy of an electronic communication sent through an ECS, that copy continues to receive ECS protection.

This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.

The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.

One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.

Finally and impressively, the Court gave real teeth to the “reasonableness” inquiry under the Fourth Amendment. In this case, the Department’s access was regulated by the Fourth Amendment because it is a government employer. (Note that the first part of the ruling involving privacy rights under the SCA does not depend on whether the employer is public or private.) However, a jury found that the Police Department read the plaintiffs’ messages for the non-disciplinary purpose of learning whether continued overages meant it needed a more extensive service plan from Arch. This was a legitimate, non-law enforcement purpose. Nevertheless, the Court found that there were less intrusive means of learning this than reading employees’ text messages. Because government employers are required to use less intrusive means if feasible, the Department’s actions here violated the Fourth Amendment.

The holding that text messages and email are protected by the Fourth Amendment is an immensely important one which gives the victims of unlawful searches the ability to suppress illegally obtained evidence. It protects the privacy of employees who use a messaging service paid for by their company. It also calls into question the SCA’s disparate treatment of messages younger and older than 180 days, though the opinion does not directly address that issue. Finally, this opinion does not simply defer to a government employer’s judgment about what is reasonable where communications privacy is at stake, but actually requires a more privacy friendly course where feasible.

Professor Orin Kerr also has commentary about this opinion up on The Volokh Conspiracy. To read his thoughts, click here.

[Permalink]

Sweden and the Borders of the Surveillance State

A proposed new law in Sweden (voted on this week, after much delay) will, if passed, allow a secretive government agency ostensibly concerned with signals intelligence to install technology in twenty public hubs across the country. There it will be permitted to conduct a huge mass data-mining project, processing and analysing the telephony, emails, and web traffic of millions of innocent individuals. Allegedly these monitoring stations will be restricted to data passing across Sweden's borders with other countries for the purposes of monitoring terrorist activity: but there seems few judicial or technical safeguards to prevent domestic communications from being swept up in the dragnet. Sound familiar?

The passing of the FRA law (or "Lex Orwell", as the Swedish are calling it) next week is by no means guaranteed. Many Swedes are up in arms over its provisions (the protest Facebook group has over 5000 members; the chief protest site links to thousands of angry commenters across the Web). With the governing alliance managing the barest of majorities in the Swedish Parliament, it would only take four MPs in the governing coalition opposing this bill to effectively remove it from the government's agenda.

As with the debate over the NSA warrantless wiretapping program in the United States, much of this domestic Swedish debate revolves around how much their own nationals will be caught up with this dragnet surveillance. But as anyone who has sat outside the US debate will know, there is a wider international dimension to such pervasive spying systems. No promise that a dragnet surveillance system will do its best to eliminate domestic traffic removes the fact that it *will* pick up terabytes of the innocent communications of, and with, foreigners - especially those of Sweden's supposed allies and friends.

Sweden is a part of the European Union: a community of states which places a strong emphasis on the values of privacy, proportionality, and the mutual defence of those values by its members. But even as the EU aspires to being a closer, borderless community, it seems Sweden is determined to set its spies on every entry and exit to Sweden. When the citizens of the EU talk to their Swedish colleagues, what happens to their private communications then?

When revelations regarding the United Kingdom's involvement in a UK-US surveillance agreement emerged in 2000, the European Parliament produced a highly critical report (and recommended that EU adopt strong pervasive encryption to protect its citizens' privacy).

Back then, UK's cavalier attitude to European communications, and its willingness to hand that data to the United States and other non-EU countries, greatly concerned Europe's elected legislators. Already questions are being asked in the European Parliament about Sweden's new plans and their effect on European citizen's personal data. Commercial companies like TeliaSonera have moved servers out of Sweden to prevent their customers from being wiretapped by the Swedish Department of Defence. Sweden's own business community have expressed concern that companies may move out of Sweden to protect their private financial data.

Sweden has often led the charge for government openness and consumer advocacy, and has, understandably, much national pride in seeing its past policies exported and reflected in Europe and beyond. Before Sweden's MPs vote next week to allow its government surveillance access to whole Net, they should certainly consider its effect on their Swedish citizens' privacy. But it should also ponder exactly how their vote will be seen by their closest neighbors. If the Lex Orwell passes, Sweden may not need something so sophisticated as a supercomputer to hear what the rest of the world thinks about their new values.

[Permalink]

Three Media Mistakes on Warrantless Wiretapping

Here's a game you can play when reading or watching news about the President's warrantless wiretapping program. There are a few mistakes that the media keeps repeating over and over and over — see if you can spot them.

Friday night's exchange on PBS News Hour between host Judy Woodruff and New York Times columnist David Brooks is typical:

JUDY WOODRUFF: There was a little bit of news, David, today, that he -- maybe bigger than that -- that McCain agrees with the president that this wiretapping of Americans on their international phone calls and e-mails is legal. Was this a surprise? Some say this is a switch from where he was earlier.

DAVID BROOKS: ... Politically, I think it won't hurt him. And his second point is there's law, I'm going to enforce the law. But, politically, people want -- the FISA program, frankly, has been always been popular politically.

For the moment, let's put aside Brooks' equivocation over McCain's flawed and deliberately ambiguous position on wiretapping, and zoom out to look at the three central ways this exchange mischaracterizes the larger wiretapping debate:

One: "I'm Going To Enforce The Law." It's unclear what Brooks is attempting to say here. In fact, the immunity legislation pushed by McCain and Congressional Republicans is intended to let corporations off the hook for breaking the law with impunity. Far from "enforcing the law," immunity legislation would completely undermine the law, effectively placing a Congressional seal of approval on corporate vigilanteism.

Similar conflations have been made by Fox News and Fox's Bill O'Reilly.

Two: "The FISA program, frankly, has always been popular politically." Brooks doesn't mean "the FISA program," he means "the warrantless wiretapping program." It's important to distinguish between the two: FISA — the Foreign Intelligence Surveillance Act — was put in place in 1978 and limits corporate cooperation with government surveillance through a carefully-designed system of court oversight and warrants. In contrast, the Bush administration's surveillance program was specifically designed to circumvent the FISA law and wiretap Americans without oversight.

Of course, "the FISA program" sounds a lot less bad than "the warrantless wiretapping program." The telcos benefit enormously from this blurring, and yet the media consistently fails to make the distinction. This mistake has also been made by The Hill, NPR, NBC, MSNBC, Fox, and by columnist Bob Novak.

In addition, Brooks' assertion of the program's popularity is wrong. According to repeated polling, a strong majority of Americans oppose both the warrantless wiretapping program and telco immunity legislation.

Three: "McCain agrees with the president that this wiretapping of Americans on their international phone calls and e-mails is legal." Judy Woodruff is a few shades more accurate than Brooks here, but her mistake is in the word "international". The government has not only been intercepting international communications — they've also been intercepting communications that begin and end inside the USA. Even if you've never phoned or emailed outside the US, it's likely that communications you've made have been intercepted by the Bush administration under this program.

We know this through a careful technical analysis of the evidence provided by whistleblower and former AT&T employee Mark Klein. (You can read the analysis [PDF] and see the evidence [PDF] for yourself.) A March 2008 article in the Wall Street Journal confirmed the program's domestic focus.

(As a particularly insane variation on this theme, news organizations sometimes simply assert that the government's "authority to spy on terrorists" is at stake, as in these reports by The Washington Post, The Des Moines Register, USA Today, Fox News, and Fox's Chris Wallace.)

Those are three of the biggest mistakes the media consistently makes: First, claiming that immunity legislation supports the rule of law, when it's in fact specifically designed to undermine it. Second, confusing the 1978 FISA act with the radical new surveillance regime concocted by the Bush administration. And third — probably the most pervasive of all — mischaracterizing the wiretapping program as targeted at "international" or "terrorist" communications, when it in fact intercepts the entirely domestic communications of millions of ordinary Americans.

Next time you see discussion of wiretapping in the media, take a close look and see if you can catch the same mistakes being made again. (And again, and again, and again...)

[Permalink]

Freedom Not Fear: Europe's Growing Protest Against Net Surveillance

This weekend, marches and meetings across Germany will protest the overreaction of countries to the threat of terrorism, and the re-emergence of a surveillance state in that country. "Freedom Not Fear" is not a small event: over 20,000 people demonstrated in the last protest in September, and over thirty cities will be taking part in this weekend's demonstrations. The organizers hope to expand across Europe for an even larger protest on September 20th of this year [Update: the date has been changed to October 4th].

What has prompted such a fierce reaction? The core of the protest is anger at the European Union's passing of the Directive on Mandatory Retention of Communications Traffic Data, an EU regulation that mandates all European ISPs and phone providers to keep records on every landline, cell and Internet phone call, every email sent, and every Internet connection session, for as long as two years.

The data retention directive was passed in March 2006, with a requirement that EU countries put its requirements into national law by September 2007. Many countries have been dragging their feet, however, faced with the daunting task of weakening existing privacy law, as well as negotiating with communication companies to install and maintain the extensive storage and monitoring equipment required.

But the infrastructure to support the collection of gigabytes of data on innocent citizens is being put in place - and already it has expanded beyond even permissions granted by the new Europe-wide regulations. Denmark's implementation of the directive, one of the first, require ISPs to record the protocol and port number of every TCP/IP session (if "unfeasible", they can opt to only record every 500th packet). On the 19th May, the UK proposed a plan to nationalize data retention entirely: collecting all the data from all ISPs and phone companies and storing it in a central government database for ease of access.

As citizens across the continent realize the extent to which they will be monitored, resistance is growing. Digital Rights Ireland's long-running constitutional challenge to data retention will be heard in the High Court on Thursday, June 5th. The German group leading the protests this weekend, the Working Group on Data Retention, has its own constitutional complaint pending.

Data retention is also rearing its head in the United States, too, with FBI Director Robert Mueller telling Congress last month that compelling ISPs to log Americans' activity for two years would be "tremendously helpful". This weekend's Freedom Not Fear protests are solely in Germany, but the planned September demonstrations will take place across Europe. Perhaps it is time that concerned United States citizens joined the chorus, before data retention has a chance to reach its shores.

[Permalink]

John McCain Wouldn't Give the Telcos Immunity if He Were President

Breaking with President Bush and GOP Congressional leadership, presumptive Republican presidential nominee John McCain said today through one of his representatives that he did not believe that Congress should immunize phone companies from liability for their participation in the NSA's warrantless wiretapping — at least not until Congress has held hearings to find out exactly what conduct was being immunized, and not until the phone companies admit to and apologize for their lawbreaking.

Threat Level's Ryan Singel reports from the Computers, Freedom and Privacy conference:

As president, presumptive Republican nominee John McCain would not support immunity for the telecoms that aided the Bush administration's warrantless spying program, unless there were revealing Congressional hearings and heartfelt repentance from those telephone and internet companies, a campaign surrogate said Wednesday.

The remarks from Chuck Fish, a full-time lawyer for the McCain campaign and a Time Warner vice president, represent a big change on the issue for McCain, who voted in February to keep immunity in the Senate spying bill. Fish was careful to say, however, that he was answering a double hypothetical question — if McCain wins, and if the issue is still alive in 2009.

"First, we need to be explicit we are not talking about granting indulgences," Fish said, clarifying that he meant forgiveness must be matched with repentance.

"There would need to be hearings to find out what actually happened and what harms actually occurred," Fish said, adding that immunity would need to be coupled with clear rules to make sure private records would be protected in future.

EFF wishes more Republicans would recognize, as their Presidential nominee does, that immunity should not even be considered until Congress has made an extensive investigation into the particulars of the Bush administration's warrantless wiretapping program, and that immunity certainly shouldn't be granted if the phone companies refuse to admit to and apologize for their role in the NSA spying.

[Permalink]

Boehner Wants Protection From Illegal Wiretapping - But Only For Himself

Chris Frates at the Politico reveals how Republican Leader John Boehner is seeking wiretap protection for himself, but not for ordinary Americans:

When a federal judge ordered Rep. Jim McDermott to pay House Minority Leader John A. Boehner and his attorneys more than $1 million in damages and legal fees for leaking an illegally taped phone call to the media, Boehner said he pursued the case because “no one — including members of Congress — is above the law.”

Why, then, is the Ohio Republican trying to squash similar lawsuits against telecommunications companies who cooperated with the government in warrantless electronic surveillance, ask the attorneys behind the class action suits.

The blatant hypocrisy on display here is stunning.

When ordinary Americans were being wiretapped, Boehner's attacked them and their right to privacy, claiming "I believe (phone companies) deserve immunity" from the law. But when Boehner himself was being wiretapped, he had no hesitation to claim his own right to privacy, claiming "no one is above the law."

When ordinary Americans are victimized, Boehner's taken every opportunity to caricature their representatives at EFF and ACLU as "unscrupulous trial lawyers" who are "trying to find a way to get into the pockets of the American companies." But when Boehner himself is the victim, suddenly defense attorneys don't seem so unscrupulous to him, and he has no problem employing his own litigators to receive a $1.1 million reward.

[Permalink]

Senators Question FBI About Unlawful Internet Archive Record Demand

A bipartisan group of senators sent a letter (pdf) to FBI Director Robert S. Mueller III this week demanding answers about an illegitimate National Security Letter (NSL) served on the Internet Archive last fall. The Archive joined with EFF and the ACLU to fend off the NSL, which sought information about an Archive patron that the FBI had no authority to gather. After extensive negotiations, the FBI agreed last month to withdraw the letter and lift an accompanying gag order that had been imposed on the Archive, EFF, and ACLU.

The Electronic Communications Privacy Act (ECPA) allows the FBI to issue NSLs only to providers of an electronic communication service, which is "any service which provides to users thereof the ability to send or receive wire or electronic communications." However, the Archive was not acting in this role in connection with the information sought by the FBI. Furthermore, the Archive is a digital library protected from NSLs by a 2006 amendment to ECPA that limited the FBI's power to demand records from libraries.

Specifically, the senators want to know:

• Whether the FBI thinks the Internet Archive is a provider of an electronic communication service for purposes of the information sought through the NSL. If so, the senators want the FBI to explain why it believes the Archive is such a provider.
• Whether the FBI has issued any guidance to help agents figure out what constitutes a provider of an electronic communication service, and if so, what that guidance is. If there is no guidance, the senators want to know what the FBI thinks the scope of that term is.
• Whether the issuance of the NSL to the Internet Archive has been reported to the FBI General Counsel or Intelligence Oversight Board as a possible misuse of intelligence authority.

Ryan Singel of Wired News writes about the senators' letter and asks his own set of questions here. For more information about the Archive's battle against the FBI, take a look at EFF's Internet Archive v. Mukasey page.

[Permalink]