pageok
pageok
pageok
FBI Acts Quickly to Protect Privacy, Notify the Courts When ISP Makes Error Implementing Court Order:
Of course, that's not quite the way the New York Times tells it. Instead, the Times opted for the headline, "F.B.I. Received Unauthorized E-Mail Access." But if you read the story closely, that does seem to be the real news here.
Curt Fischer:
I'm not so sure that the "real news" is as simple as Prof. Kerr makes it seem.

Quoting from the story:


The episode is an unusual example of what has become a regular if little-noticed occurrence
[...]
But an intelligence official [...] said "It's inevitable that these things will happen. It's not weekly, but it's common."
[...]
The individuals whose e-mail was collected apparently were never informed of the problem.



These facts all seem newsworthy, at least to me. I certainly didn't know it was common for the FBI to accidentally get email from random individuals, and I also didn't know that such individuals are not notified when the mistaken collection does occur.

Of course I am glad the agency appears to have notified the proper overseers about the error.
2.16.2008 5:08pm
cboldt (mail):
The bureau had first gotten authorization from the Foreign Intelligence Surveillance Court to monitor the e-mail of the individual target 10 months earlier, in April 2005 ... In February 2006, an F.B.I. technical unit noticed "a surge in data being collected"


.

Heheheh. Slight delay in noticing the "surge."

.

10 out of 20 violations were a result of "third-party error," in which a private company "provided the F.B.I. information we did not seek."


.

That's not error, that's patriotic cooperation!

.

I'm not sure what the other 10 of 20 "violations" were, probably "preventing terrorist attacks."

.

It'll be so much easier when we outgrow the quaint and outdated notion of expectation of privacy.
2.16.2008 5:20pm
SteveW:
After the FBI completes its investigation, it should notify the individuals whose records were unlawfully tapped.
2.16.2008 6:30pm
OrinKerr:
Curt,

When I was at DOJ in the late 1990s, it was sometimes difficult to get ISPs to respect privacy as much as the FBI did. The ISPs would want to be lazy and take short cuts, and would offer the FBI more information than the court order requested; the FBI had to object and insist that the ISPs comply exactly with the court orders to fully protect privacy.

Cbolt,

Read on. The article states:
The bureau had first gotten authorization from the Foreign Intelligence Surveillance Court to monitor the e-mail of the individual target 10 months earlier, in April 2005, according to the internal F.B.I. document. But Michael Kortan, an F.B.I. spokesman, said in an interview that the problem with the unfiltered e-mail went on for just a few days before it was discovered and fixed. "It was unintentional on their part," he said.
(emphasis added)

Steve W,

Perhaps, but that would seem to create two problems. First, it requires the FBI to create records about whose accounts were tapped (records that otherwise would be destroyed). Second, public disclosure of which accounts were accidentally tapped could also lead to identification of which account was targeted. Perhaps there's a way around that, but I'm not sure.
2.16.2008 6:37pm
cboldt (mail):
But Michael Kortan, an F.B.I. spokesman, said in an interview that the problem with the unfiltered e-mail went on for just a few days

.
I saw that. Must have been an adjustment at the ISP, 10 months after the order was issued.
.
At any rate, anybody who has an expectation of privacy in e-mail has a screw loose. Orin points out that ISP's have no respect for privacy. No company in its right mind would argue with a federal agent either. "Yes sir, here are the books, and the keys."
.
How many suits are there, challenging NSL's? Only a handful, and scores of thousands of NSL's issued.
2.16.2008 6:53pm
ReaderY:
Is this fundamentally different from executing a search warrant on the wring address or wiretapping the wrong phone number?
2.16.2008 7:28pm
Dave N (mail):
Is this fundamentally different from executing a search warrant on the wring address or wiretapping the wrong phone number?
I don't think so at all--but then your question doesn't play well with folks like cboldt who think that the government is out to destroy their rights.
2.16.2008 7:41pm
gattsuru (mail) (www):
From a technical viewpoint, unencrypted e-mail is very similar to shouting out a window. It's plaintext data on a well known port, crossing over the property of as many as a dozen different companies that you may or may not have contracted with or even trust. Despite using TCP, there are still even ways for e-mail messages to be 'lost'. It's less common than it used to be, but you can still end up losing a good e-mail to a poorly configured router buffer.

That's, of course, ignoring the legal side of things. Still, you gotta be an idiot to think plain text e-mail is even remotely private, long before the discussion turns to federal officers or corporations.
2.16.2008 7:53pm
Public_Defender (mail):

When I was at DOJ in the late 1990s, it was sometimes difficult to get ISPs to respect privacy as much as the FBI did. The ISPs would want to be lazy and take short cuts, and would offer the FBI more information than the court order requested; the FBI had to object and insist that the ISPs comply exactly with the court orders to fully protect privacy.

This sounds like a good argument for imposing civil liability on companies that violate privacy laws when purporting to assist the government.
2.16.2008 7:59pm
OrinKerr:
cbolt writes:
At any rate, anybody who has an expectation of privacy in e-mail has a screw loose. Orin points out that ISP's have no respect for privacy. No company in its right mind would argue with a federal agent either. "Yes sir, here are the books, and the keys."
cbolt, what does the ISP practice have to do with it? If I have a nosy super in my building who comes into my apartment a lot, I still have a reasonable expectation of privacy there. Assuming you are referring to a constitutional reasonable expectation of privacy, I think you are misunderstanding what that test means.
2.16.2008 9:05pm
SDonelan:
I'm not sure its really fair to call ISPs lazy. After all, if lawyers were always careful, why do most law firms put a "if you are the wrong person, please notify us and destroy this information" paragraph on their outgoing FAX and email? Shouldn't the law firm make sure it is sending the right information to the right place before it sends it? There is usually more than enough finger-pointing to go around.

Looking through the FOIA documents there are examples of all sorts of mistakes all around. Asking for the wrong information, citing the wrong statutes, receiving the wrong information, receiving too much information. And although the documents don't report it, I wouldn't be surprised if there weren't also cases of receiving too little information. It wasn't just ISPs, the FOIA documents have examples from credit reporting agencies, telephone companies, and so on. It looks like everyone is "lazy."

And sometimes there is just simple mis-communication. The DoJ and FBI may think their letters are models of clarity, but sometimes what the DoJ/FBI calls something and what industry calls something turn out to be different things. And what is produced may or may not be what the DoJ/FBI was expecting.
2.16.2008 10:25pm
TruePath (mail) (www):
Of course the other customers weren't notified. That would reveal exactly who was being wiretapped (the guy who wasn't notified). It was fixed in a few days and the extra information thrown away. I'm pretty liberal and sucpiscious of the FBI and other groups monitoring communications but I'm certainly not bothered by this case. Now whether or not other cases where it is much less extra email that is gathered I'm more concerned about. In particular I worry that it would be easier just not to mention the one or two extra email addresses you got.

As far as the analogy to executing the incorrect search warrant a better analogy would be this. Suppose the FBI got a warrant to search someone's apartment but the landlord gave them the wrong key and directed them to the wrong unit.

However, if this happens frequently it would be appropriate for the government to put in place it's own safegaurds. In particular for email warrants and other similar tasks the government should have special filters that only allow the agents to examine the information covered in their warrant. This would be a nice first step towards dealing with digital 4th amendment issues in the way Orin suggests and who cares if the FBI gets extra info if they have safeguards that prevent it from ever being examined.

-----

Ohh and it's not so clear to me that the fact that in fact ISPs aren't very careful safeguarding email somehow removes people's privacy interest in email. I mean if the government stopped firing post office employees who snooped into your mail and generally encouraged the post office to be extremely careless with your mail but kept this information from becoming generally known would they now be able to search your mail without a warrant?

Also even if many ISPs behave carelessly with your email statistically it is reasonable to assume your email isn't read by anyone else. In fact as a statistical matter I wouldn't be surprised if your emails are less frequently snooped than people listen in on your phone calls (scanners for wireless handsets, crossed lines etc..)
2.17.2008 12:44am
TruePath (mail) (www):
Ohh I see Orin got to the point about ISP practice already with a more authoritative answer. Good to see I was on the right track even if it was unnecessary.
2.17.2008 12:47am
Oren:
Is this fundamentally different from executing a search warrant on the wring address or wiretapping the wrong phone number?
Yes, because it's not the government's mistake but rather that of a third party. It's more like a super taking the police to the wrong address than the police going to that wrong address.

That said, I think my liberal credentials on this site are well-established and even I think this is a tempest in a teapot.
2.17.2008 1:56am
cboldt (mail):
Assuming you are referring to a constitutional reasonable expectation of privacy, I think you are misunderstanding what that test means.

.

I am grafting the ability (not necessarily the right) of a third party to view communications onto the legal tests that ostensibly circumscribe government surveillance.

.

Not that you ever made the argument, and not that I think it holds any water, but some have argued that because a foreign government could view your international communications (and there would be no remedy), a US person has no reasonable expectation of privacy in an international communication.

.

As for the "constitutional" REP (privacy as against the government), that too is eventually founded on real world ability of strangers to observe, and laws that purport to prohibit such observation to private parties who happen to have access, e.g., telecom and postal privacy laws.

.

But given that the administration, Congress, and maybe a substantial majority of Americans have adopted the position that at least the FISA civil statutory "prohibition" (50 USC 1810) should be waived via immunity, I think it's reasonable to cast the "constitutional reasonable expectation of privacy" vis-a-vis the government's viewing of electronic communications, as a phantom. It exists in ones imagination.

.

A "right" to privacy can be viewed more than one way. People disclose things to the doctor, but if the doctor doesn't talk, then we feel privacy has been maintained. Similar with the government. If you aren't doing anything wrong, and you never know you've been eavesdropped, and the information doesn't spread, some would argue that privacy has been maintained.

.

It's a tough role for a protective government, because privacy in the sense of being able to prevent eavesdropping creates the ability to cloak dangerous intentions. See, e.g., export restrictions on cryptographic tools.
2.17.2008 6:43am
cboldt (mail):
Assuming you are referring to a constitutional reasonable expectation of privacy, I think you are misunderstanding what that test means.

.

Account too, for my comment about ISPs being reluctant (unlikely in the extreme) to challenge an order from a government agent. To answer the question "what does ISP practice have to do with it," to the extent the ISP cooperates with orders to disclose to the government, there is a possibility of a 4th amendment challenge, e.g., that the basis for the government order lacks sufficient probable cause or foreign intelligence content. IOW, my comment didn't stop at "the ISP can see it," it included the ISP transferring communication content and/or wrappers to the government, without question.

.

Some ISPs may be protective of their customers' privacy against the government, but I suspect they are a rare exception, not the rule. The raw number of NSLs (warrantless) vs. how the number of legal challenges to NSLs is, I think, a reasonable window into that contention.
2.17.2008 7:21am
cboldt (mail):
If I have a nosy super in my building who comes into my apartment a lot, I still have a reasonable expectation of privacy there.

.

For what it's worth, yes you do. But if your nosy super (or neighbor, or "friend") is also an informant, the information he provides to the government can be used to produce probable cause and, if needed, a warrant for "official confirmation."
2.17.2008 7:33am
OrinKerr:
cboldt,

What cases would you cite for that view? Or do you mean this as your own normative theory of what the Constitution means, apart from what the courts have said?
2.17.2008 1:03pm
OrinKerr:
cboldt writes:
But if your nosy super (or neighbor, or "friend") is also an informant, the information he provides to the government can be used to produce probable cause and, if needed, a warrant for "official confirmation."
No, cboldt, that is incorrect, at least if you mean information he provides about the inside of your apartment pursuant to a government request to enter your apartment. See Chapman v. United States.
2.17.2008 1:08pm
cboldt (mail):
that is incorrect, at least if you mean information he provides about the inside of your apartment pursuant to a government request to enter your apartment.

.

I was thinking of (but failed to expressly specify) the informant to be acting without a specific request from the government. I.e., NOT pursuant to a government request to enter your apartment. Just a snoopy super who, upon seeing something "alarming," chooses to report the observation to the authorities.
2.17.2008 4:53pm
cboldt (mail):
The Chapman case appears to stand for the proposition that probable cause is not enough for entry into the premises for the purpose of criminal investigation. The deficiency was a warrant.

.

if your nosy super (or neighbor, or "friend") is also an informant, the information he provides to the government can be used to produce probable cause and, if needed, a warrant for "official confirmation."


So, for purposes of physical entry for criminal prosecution (but not for foreign intelligence), the authorities would need to take thew probable cause produced by the report from the snoopy super, and extend it to a warrant.

.

"Privacy" is at risk upon the existence of probable cause, or any of the other 4th amendment exceptions.
2.17.2008 5:02pm
OrinKerr:
Cboldt,

No, it wouldn't matter if the informant is acting pursuant to a specific request. The question is whether the informant is acting as an agent of the state. As for your point about warrants, you are wrong again. The problem in Chapman is that the landlord lacked authority to consent. If he had authority to consent, no warrant would be needed.

More broadly, I realize you think the Constitution and privacy are under attack. But fortunately, we have a lot more privacy than you think.
2.17.2008 6:19pm
cboldt (mail):
The question is whether the informant is acting as an agent of the state. As for your point about warrants, you are wrong again. The problem in Chapman is that the landlord lacked authority to consent.

.

OK, the snoopy super is NOT acting as an agent of the state. He's just a snoopy private citizen, who, having pierced your perception of "privacy," decides to inform the authorities of his observation.

.

Is it your contention that a court-issued warrant would NOT have cured the deficiency in the Chapman case?
2.18.2008 6:02am
cboldt (mail):
I realize you think the Constitution and privacy are under attack. But fortunately, we have a lot more privacy than you think.

.

There's no definitive way to determine how much privacy (vs. the government) exists in electronic communications. Court cases that might shed light on the question are closed down on the grounds of state secret, or circumscribed by the terms of an NSL. Even Congress is moving to retroactively neuter civil remedies in the area of interceptions ordered on foreign intelligence grounds, etc. The administration decried the revelation of the TSP as disclosing classified information, the extent of surveillance undertaken without a warrant. IOW, the government held as classified (secret from the public) that surveillance exceeds the contours one would infer from privacy statutes.

.

My general point is that one reliably has privacy only to the extent information can be contained, kept out of sight from snoopy supers, etc. Information that is shared, even with "trusted" others (even doctors and lawyers) is not "perfectly" secure against disclosure, as there are certain professional and statutory requirements to report.

.

I'm not complaining about the extent of privacy, there is certainly a public interest to be balanced against personal privacy. I noted above, the ability to obtain privacy creates the ability to cloak bad intentions. And my intuition is that we have more privacy now than existed in certain historical periods.

.

But I don't think it's prudent to take the government (or a business) at its word when it asserts "such as so is kept private." The contours of the 4th amendment have changed, in some areas changed radically (e.g., from Olmstead to today), and will continue to evolve. Sometimes in secret.
2.18.2008 6:41am
markm (mail):
I've no surprise that the NY Times mis-reported this to make the FBI look at fault when it was the FBI that reported the ISP's error. They similarly reported the abuses in Abu Ghraib as if they were newly discovered, when in fact the military authorities had already investigated and were about to put the responsible MP's on trial.

I just wonder how the NY Times will report such things once a Democrat is in the White House?
2.18.2008 9:27pm