Sections 209, 212, and 220.
Access to Wire and Electronic Communications
Sections 209, 212, and 220 adjust certain requirements for access to communications.
Section 209. Previously, seizure of voicemail stored with a service provider required a court order under the Title III wiretap authorities, which has more rigorous standards than an ordinary criminal search warrant. Stored email, however, required only an ordinary search warrant or in some cases only a subpoena. Section 209 revises 18 U.S.C section 2703 to cover stored voicemail as well as stored email, thereby eliminating the wiretap order requirement.
Section 212. Electronic communications privacy laws prohibit service providers from voluntarily disclosing, even to the government, most customer communications or records. Section 212 creates an exception to this rule—for both communications and records. It permits providers to disclose this material if they "reasonably believe" that there is "an emergency involving immediate danger of death or physical injury to any person." The exception involving emergency disclosure of the content of communications was made permanent subsequent to the PATRIOT Act by the Homeland Security Act. The exception involving customer records remains subject to the PATRIOT Act sunset provision.
Section 220. Previously, the government could seek a search warrant for service providers' customer communications or records only in the judicial district in which the provider is located. This posed problems for criminal investigators because providers are often located somewhere other than where a crime occurs. Section 220 authorizes the court in the district in which the crime occurred to issue search warrants to be served anywhere in the country. A separate section—section 219, which does not sunset—provides for nationwide service of federal search and arrest warrants in international or domestic terrorism cases.
Sections 209, 212 and 220 are not among the most controversial provisions of the PATRIOT Act. The fact that they are subject to the sunset at all, while, for example, the "sneak and peek' authority in Section 213 and the national security letter expansions in Sections 358 and 505 are not subject to the sunset, is another illustration of how the debate over the sunsets is somewhat misplaced.
As with most other sunsetted provisions, there is little call for denying government the access to information provided under Sections 209, 212 and 220. Rather, the questions posed by these sections are matters of checks and balances, related to the continuing but uneven effort to rationalize the standards for government access to electronic communications and stored records in the light of ongoing changes in technology.
In that regard, these sections highlight an overarching concern about the way in which amendments to the surveillance laws in recent years, and especially in the PATRIOT Act, have served as a "one-way ratchet' expanding government power without corresponding improvements in the checks and balances applicable to those powers. This has actually been a departure from Congress' traditional approach to electronic surveillance issues. In Title III (1968); in the Electronic Communications Privacy Act of 1986; and even in the controversial Communications Assistance for Law Enforcement Act of 1994, Congress and the Justice Department agreed on the twin goals of ensuring law enforcement authority to intercept communications while also strengthening privacy protection standards, especially in light of changing technology.
This spirit of balance has unfortunately been lost. In recent years, time and again, the Department of Justice has proposed changes in the surveillance laws that reduce judicial oversight or increase Executive Branch discretion, and Congress has too often enacted them, without ever considering how these changes add up or whether other changes may be needed to increase privacy protections in response to advancements in technology that have made the government's surveillance more intrusive.
In this context, it is easier to see why even some of the minor changes in the PATRIOT Act draw concern, for they are part of a steady stream of uni-directional amendments that are slowly eroding the protections and limits of the electronic privacy laws.
Section 209 permits the seizure of voicemail messages pursuant to a search warrant or, if the voicemail has been in storage for a long time, pursuant to a subpoena. Previously, while voicemail messages stored on an answering machine in one's home could be seized by a search warrant, access to voicemail messages stored with a service provider had required a Title III order, which offers higher protections. The theory behind section 209 is that stored voice messages should be treated the same as stored data. On some level, this makes the rules technology neutral, which is usually desirable.
However, the change overlooks the importance of notice under the Fourth Amendment and under Title III, and the absence of notice under the rules applied to stored material held by a service provider. When voicemail stored on your home answering machine is seized, you are normally provided notice at the time of the search. You can examine the warrant and immediately assert your rights. When email or voicemail is seized from a service provider pursuant to a warrant, you as the subscriber may never be provided notice unless and until the government introduces the information against you at trial. If you were mistakenly targeted or the government chooses not to use the evidence, you need never be told of the search of your stored communications, so you have little meaningful opportunity to seek redress.
Section 209 removes stored voicemail from the host of protections afforded under Title III. These extra protections are intended in part to make up for the lack of contemporaneous notice (as well as for the ongoing nature of the intrusion). However, in the case of stored messages (whether email or voicemail), it is not even necessary from an investigative standpoint to deny contemporaneous notice in the way it is with live interception. Denial of notice is justified in the case of interceptions because the effectiveness of the technique would be destroyed if the target were given contemporaneous notice. In the case of stored email or stored voice messages, the evidence is already created.
A storage revolution is sweeping the field of information and communications technology. Service providers are offering very large quantities of online storage, for email and potentially for voicemail. Increasingly, technology users are storing information not in their homes or even on portable devices but on networks, under the control of service providers who can be served with compulsory process and never have to tell the subscribers that their privacy has been invaded. New Voice over Internet Protocol (VoIP) services may include the capability to store past voice conversations in a way never available before, further obliterating the distinction between real-time interception and access to stored communications.
Section 209 takes a seemingly small category of information out of the full protection of the Fourth Amendment and moves it under the lowered protections accorded to remotely stored communications and data. But stored voicemail is the tip of an iceberg. Rather than allowing growing amounts of personal information to fall outside the traditional protections of the Fourth Amendment, it is time to revisit the rules for networked storage (whether of voice or data) and bring them more in line with traditional Fourth Amendment principles, by requiring contemporaneous notice as the norm and covering both newer records and older records (again, whether voice or data) under the same probable cause standard. That would be truly technology neutral and would have the advantage of not allowing technology advances to erode privacy protections.
Section 212 permits service providers to voluntary disclose the contents of communications and transactional information without compulsory process in emergency situations. Section 212 represents another in a steadily growing series of exceptions to the protections of the electronic communications privacy laws. (The computer trespasser provision of Section 217 is another example.) Section 212 and similar provisions essentially allow "off the books surveillance'—they define certain interceptions not to be interceptions, and certain disclosures not to be disclosures. Once an access to communications or data is excluded from the coverage of the surveillance laws, not only is it not subject to prior judicial approval, but there are no time limits on the period covered by the surveillance or disclosure, no minimization requirement, no report back to a judge, no notice to the persons who are surveilled unless and until the government introduces the evidence against them in a criminal trial, no statutory suppression rule, and no reports to Congress and the public.
Emergency exceptions are of course reasonable. And the standard in section 212 is not facially objectionable: "if the provider reasonably believes that an emergency involving immediate danger of death or physical injury to any person requires [or justifies] disclosure of the information.' It should be recognized, however, that the information about the emergency will often come from a government agent: rather than going to a judge and getting a warrant, Section 212 permits government agent to go to a service provider, say there is an emergency, and if the service provider reasonably believes there is (even if the government agent was exaggerating), the service provider can disclose the records with no liability and no notice to the subscriber. Surely, this is an invitation to cutting corners, if not more cynical forms of abuse. Notice also how placing the reasonable belief on the part of the service provider diffuses responsibility: the stored records provisions to which this exception was added has no suppression rule for evidence improperly obtained, and it does not appear that the civil action and administrative discipline provisions of 18 U.S.C. 2707 would apply to agents who even intentionally mislead a service provider about the existence of an emergency.
In an age when warrants can be obtained by telephone or fax and presumably even by email, see Federal Rule of Criminal Procedure 41(d)(3), and when every court should have a duty judge available by cell phone or Blackberry 24 hours a day, it is not really so clear that emergency exceptions to judicial oversight are necessary. But even if they are, they should not fall entirely outside a system of checks and balances.
Checks and balances should be added to Section 212. Under the emergency exceptions of both Title III and FISA, after an emergency interception has begun, there must still be an application to a judge, and the information obtained under the assertion of emergency must be discarded if authority to intercept is subsequently denied, and under Title III the application, whether granted or denied, becomes subject to notice requirements. Similar principles could be applied to the emergency authority of Section 212: it could be revised to require after-the-fact review by a judge, and if the judge does not find that the disclosure would otherwise have been justified, the information could be suppressed. At the least, the person whose privacy has been invaded should be notified that his information has been disclosed to the government. An additional or alternative protection would be to make it illegal for a government official to intentionally or recklessly mislead a service provider as to the existence of an emergency. Coupled with notice, this could provide a reasonable remedy to persons whose privacy was needlessly invaded.
Other parts of Section 212 are non-controversial: It rearranged sections 2702 and 2703 of title 18 to make them more logical and clarified that service providers have the statutory authority to disclose non-content records to protect their rights and property.
Note: The change made by Section 212 covering emergency disclosures of the content of communications was repealed by the act creating the Homeland Security Department and replaced with a new and permanent emergency disclosure provision. The comments made above about checks and balances pertain to the new language as well.
Section 220 amended 18 U.S.C. 2703 to allow judges to issue search warrants for electronic evidence that can be executed outside of the district in which the issuing court is located. In a world where the center of an investigation may be in one state, but the target's ISP has its servers in another state, this makes obvious sense. However, as the Electronic Privacy Information Center has noted, Section 220 removes "an important legal safeguard by making it more difficult for a distant service provider to appear before the issuing court and object to legal or procedural defects. Indeed, it has become increasingly common for service providers to seek clarification from issuing courts when, in the face of rapidly evolving technological changes, many issues involving the privacy rights of their subscribers require careful judicial consideration. The burden would be particularly acute for smaller providers.' One solution to this problem is to allow a warrant to be challenged not only in the district in which it was issued but also in the district in which it is served. While the issuing judge may have a better sense of the factual basis for the order, a judge in the district in which the order is served may be in a better position to interpret or redefine the scope of the order in light of issues concerning the system of the service provider on whom the order is served. Even aside from Section 220, whether search warrants for electronic evidence are issued for evidence inside or outside their jurisdictions, judges should question applicants to be sure that the warrant is narrowly drawn. Judges should use extra care in understanding what information is being sought, whether it will be copied or originals will be seized (interfering with ongoing business), and whether it is possible to disclose just certain fields or just records from a certain pertinent timeframe. These are analogous to questions that judges have the authority to consider in the case of physical searches, but judges need to understand computer systems in order to fully enforce the specificity requirement of the Fourth Amendment in the digital context. Judges should look more carefully at the return of service. While notice under 18 U.S. C. 2705(b) can be prohibited, judges should be hesitant to deny notice to the person to whom the records pertain, since the subscriber is really in the best position to raise legitimate concerns. This is just another way in which judges faced with the authorities of the PATRIOT Act can assert closer scrutiny and place conditions on the exercise of PATRIOT authorities without denying the government access to the information needed.
Sections 209, 212, and 220 match statutory surveillance laws to the traditional protections of the Fourth Amendment. These sections try to ensure that on-line investigations are regulated by the same principles that regulate investigations off-line under the Fourth Amendment. This is a laudable and generally uncontroversial goal, and it should be unsurprising that these sections have drawn little controversy. Congress should retain them.
To understand these sections of the Patriot Act, it helps to begin by understanding why Congress regulates Internet privacy instead of the courts and the Fourth Amendment. Sections 209, 212, and 220 exist because the Fourth Amendment extends little if any privacy protection to Internet communications. The Fourth Amendment does a very good job regulating traditional criminal investigations, in which the police enter private homes and retrieve evidence. Fourth Amendment rules regulate when the police can search the home and what property they can seize once there. The basic rule is that a probable cause warrant is required to enter a home and retrieve evidence unless an exception such as exigent circumstances applies.
When we switch from traditional investigations to Internet crime cases, however, the Fourth Amendment suddenly offers little protection. Evidence such as e-mail is now stored with third-party Internet service providers, and the police generally try to obtain the information directly from those service providers. But the Fourth Amendment generally offers no protection to information disclosed to third parties, and gives those third parties unlimited power to search through documents in their possession and disclose the results to law enforcement. Although the constitutional doctrine in this area is not well-developed, the cases suggest that the Fourth Amendment may offer little or even no protection to Internet users.
The gap in constitutional protection triggers an obvious need for Congressional regulation. Congress must step in to protect what the Constitution does not. Fortunately, Congress acted at a very early stage to confer this protection: it enacted a comprehensive statute in 1986 called the Electronic Communications Privacy Act (ECPA). ECPA erected a complicated statutory framework that generates the equivalent of off-line Fourth Amendment protections on-line by statute. The statute restricts the power of investigators to compel evidence from ISPs and places limits on the ability of ISPs to voluntarily disclose information about their subscribers. The basic goal of the statute is to create Fourth Amendment-like protections for Internet communications. Sections 209, 212, and 220 are all amendments to ECPA.
These amendments are necessary because while ECPA was a remarkable achievement for its day, it had a number of quirks and gaps in need of correction. For example, Congress forgot to include an "exigent circumstances' exception for records. The Fourth Amendment contains a common-sense exception to the warrant requirement permitting officers to search and seize if exigent circumstances such as an emergency require immediate action and obtaining a warrant is impractical. ECPA had no such exception for records, however. If an exigency occurred, the police simply were out of luck: the police could not compel ISPs to act without a warrant, and ISPs were also forbidden to disclose information voluntarily in response to the exigency. In a stark departure from well-established Fourth Amendment law, exigent circumstances became irrelevant.
ECPA also had adopted a rather strange rule to regulate voicemail stored with service providers. ECPA required the police to obtain a super-warrant Title III wiretapping order to compel unopened voicemail, but offered zero privacy protection for opened voicemail. Requiring a Title III super warrant effectively placed unopened voicemail off-limits for the police, treating voicemail as more private than personal diaries and bedrooms. Under ECPA, if the government knew that there was one copy of an unopened private message in a person's bedroom and another copy on their remotely stored voicemail, it was illegal for the FBI to simply obtain the voicemail; the law actually compelled the police to invade the home and rifle through peoples' bedrooms so as not to disturb the more private voicemail. Similarly, the law flatly barred state and local police form obtaining access to voicemail except in extremely rare situations. At the same time, ECPA left already-accessed voicemail completely unregulated by any statutory privacy law. This regulatory approach made little sense.
Finally, ECPA introduced needless delay in investigations by changing the traditional rule that federal investigators can obtain orders to compel information in one district and serve them on third parties in other districts. For example, a federal grand jury subpoena can be obtained in one district and served on a company in another district via mail or fax. In contrast, ECPA required law enforcement either to travel around the country to wherever ISP was located or else get local assistance in order to get a search warrant to compel an ISP to disclose information. The order had to be obtained in the district where the ISP was physically located. If a New York-based FBI agent needed to compel a California-based ISP to disclose evidence about a New York-based defendant, he needed to travel to California and apply for a warrant there (or else get help from an agent in California who otherwise had no role in the investigation). Once again, this deviation from the traditional rules made little sense.
Sections 209, 212, and 220 cure these three defects in ECPA. Section 212 adds a narrow exigent circumstances exception to ECPA. It permits a service provider to volunteer information to law enforcement if the provider has a reasonable belief that an emergency involving immediate danger of death or serious physical bodily injury to a person requires immediate disclosure. This narrow exception is considerably more privacy protective than the Fourth Amendment's broad exigent circumstances exception, but reflects a similar effort to balance privacy with competing needs of crime victims. Section 209 corrects ECPA's strange treatment of voicemail by protecting voicemail just like other stored content files such as e-mail. The change simultaneously raises the protection for opened voicemail and extends the traditional Fourth Amendment search warrant protection for unopened voicemail. Section 220 permits investigators to obtain warrants to compel ISPs to disclose information in the district where they are conducting the investigation just as they would any other order. Investigators no longer need to travel or obtain the assistance of others in far-away districts to obtain court orders. In all three cases, the Patriot Act attempts to bring the statutory surveillance law into alignment with the Fourth Amendment.
For the most part, Jim Dempsey's proposals for reform would impose greater privacy restrictions for online investigations than equivalent offline investigations. For example, Dempsey would require a court order to be obtained following an exigent circumstances disclosure, whereas the Fourth Amendment has no such requirement. He would also allow recipients of orders to compel to challenge those orders within the recipient's district rather than in the district where it was issued, instead of retaining the traditional rule that any challenge (itself an extremely rare event) must be filed in the issuing district.
Finally, Dempsey would require customers whose records were disclosed pursuant to an order to compel to receive notice of the disclosure, whereas the Fourth Amendment has no such requirement. While Dempsey suggests that notice is needed to match Fourth Amendment rules, I think his analogy is somewhat flawed. To be sure, the Fourth Amendment normally does require notice to a property owner when the police execute a warrant at a home. However, this notice does not permit the homeowner to challenge the warrant before it is executed, and does not extend to others whose property is located at the place to be searched. According to the Supreme Court, the notice requirement exists so the homeowner knows that the police officers knocking at the door are acting pursuant to proper legal authority and are not rogue officers. Current law appears to satisfy this policy concern by providing notice to the ISP.
This does not mean I necessarily disagree with Dempsey's proposals. I am interested in hearing more about some of them, and less enthusiastic about others. But I see Dempsey's proposals as parallel to the debate over Sections 209, 212, and 220, rather than as a direct challenge to those sections. All three provisions are balanced and appropriate efforts to match statutory laws to the Fourth Amendment. Whatever other proposals Congress wishes to consider beyond them, it should begin by reaffirming these uncontroversial sections of the Patriot Act.
About 30 years ago, the Supreme Court held that the Constitution affords no privacy protection to personal information disclosed to "third parties."Under this theory, the government can get your financial records from your bank and your prescription drug records from your pharmacy merely by asking the third party to disclose them, with no notice to you and no opportunity for you to object.
Even 30 years ago, this seemed at odds with people"s reasonable expectations. Today, in the digital age, this theory, unless Congress acts, would mean the death of all privacy: information about almost every aspect of your life is recorded with some third party. The transition to Web-based services and the availability of huge volumes of online storage mean that emails, calendars, travel itineraries, photos, documents, and even drafts never meant to be read by anyone are stored outside the protections of the Constitution. Yet this is what
I think there should be a stronger view of traditional Fourth Amendment protections, which includes notice when the government is seeking information about you. (One of the few exceptions would be wiretapping, where the effectiveness of the technique would be obviated if prior or contemporaneous notice were given.) Under the privacy laws adopted by Congress, and under Sections 209, 212, and 220 of the PATRIOT Act, the government can get your records from a third party, without telling you. Without transparency, the government is much more likely to ask for a lot, and the business receiving the order is not likely to want to spend its money defending your privacy.
Section 212 allows the government to tell an ISP that there is an emergency and the ISP can then disclose your email without even a subpoena, let alone a warrant, and never tell you so that you never have an opportunity to challenge the disclosure. Traditionally, even if there was an emergency justifying an exception to the warrant requirement, you would know of the search of your home or office. At the least, under 212, there should be after-the-fact notice to the person whose email has been disclosed and some opportunity to judge whether the government fairly represented the existence of an emergency.
Section 209 allows the government to use a mere subpoena to get voice mail you have listened to but continue to store with the phone company"s voice mail service, again without notice. Notice and an opportunity to object in non-emergency situations would protect against abuse of practices now shrouded in secret.