Sections 209, 212, and 220 adjust certain requirements for access to communications.
Section 209. Previously, seizure of voicemail stored with a service provider required a court order under the Title III wiretap authorities, which has more rigorous standards than an ordinary criminal search warrant. Stored email, however, required only an ordinary search warrant or in some cases only a subpoena. Section 209 revises 18 U.S.C section 2703 to cover stored voicemail as well as stored email, thereby eliminating the wiretap order requirement.
Section 212. Electronic communications privacy laws prohibit service providers from voluntarily disclosing, even to the government, most customer communications or records. Section 212 creates an exception to this rule—for both communications and records. It permits providers to disclose this material if they "reasonably believe" that there is "an emergency involving immediate danger of death or physical injury to any person." The exception involving emergency disclosure of the content of communications was made permanent subsequent to the PATRIOT Act by the Homeland Security Act. The exception involving customer records remains subject to the PATRIOT Act sunset provision.
Section 220. Previously, the government could seek a search warrant for service providers' customer communications or records only in the judicial district in which the provider is located. This posed problems for criminal investigators because providers are often located somewhere other than where a crime occurs. Section 220 authorizes the court in the district in which the crime occurred to issue search warrants to be served anywhere in the country. A separate section—section 219, which does not sunset—provides for nationwide service of federal search and arrest warrants in international or domestic terrorism cases.
Sections 209, 212 and 220 are not among the most controversial provisions of the PATRIOT Act. The fact that they are subject to the sunset at all, while, for example, the "sneak and peek' authority in Section 213 and the national security letter expansions in Sections 358 and 505 are not subject to the sunset, is another illustration of how the debate over the sunsets is somewhat misplaced.
As with most other sunsetted provisions, there is little call for denying government the access to information provided under Sections 209, 212 and 220. Rather, the questions posed by these sections are matters of checks and balances, related to the continuing but uneven effort to rationalize the standards for government access to electronic communications and stored records in the light of ongoing changes in technology.
In that regard, these sections highlight an overarching concern about the way in which amendments to the surveillance laws in recent years, and especially in the PATRIOT Act, have served as a "one-way ratchet' expanding government power without corresponding improvements in the checks and balances applicable to those powers. This has actually been a departure from Congress' traditional approach to electronic surveillance issues. In Title III (1968); in the Electronic Communications Privacy Act of 1986; and even in the controversial Communications Assistance for Law Enforcement Act of 1994, Congress and the Justice Department agreed on the twin goals of ensuring law enforcement authority to intercept communications while also strengthening privacy protection standards, especially in light of changing technology.
This spirit of balance has unfortunately been lost. In recent years, time and again, the Department of Justice has proposed changes in the surveillance laws that reduce judicial oversight or increase Executive Branch discretion, and Congress has too often enacted them, without ever considering how these changes add up or whether other changes may be needed to increase privacy protections in response to advancements in technology that have made the government's surveillance more intrusive.
Sections 209, 212, and 220 match statutory surveillance laws to the traditional protections of the Fourth Amendment. These sections try to ensure that on-line investigations are regulated by the same principles that regulate investigations off-line under the Fourth Amendment. This is a laudable and generally uncontroversial goal, and it should be unsurprising that these sections have drawn little controversy. Congress should retain them.
To understand these sections of the Patriot Act, it helps to begin by understanding why Congress regulates Internet privacy instead of the courts and the Fourth Amendment. Sections 209, 212, and 220 exist because the Fourth Amendment extends little if any privacy protection to Internet communications. The Fourth Amendment does a very good job regulating traditional criminal investigations, in which the police enter private homes and retrieve evidence. Fourth Amendment rules regulate when the police can search the home and what property they can seize once there. The basic rule is that a probable cause warrant is required to enter a home and retrieve evidence unless an exception such as exigent circumstances applies.
When we switch from traditional investigations to Internet crime cases, however, the Fourth Amendment suddenly offers little protection. Evidence such as e-mail is now stored with third-party Internet service providers, and the police generally try to obtain the information directly from those service providers. But the Fourth Amendment generally offers no protection to information disclosed to third parties, and gives those third parties unlimited power to search through documents in their possession and disclose the results to law enforcement. Although the constitutional doctrine in this area is not well-developed, the cases suggest that the Fourth Amendment may offer little or even no protection to Internet users.More . . .
A crucial challenge posed by new technologies is how to extend to them privacy protections equivalent to those afforded by the Fourth Amendment. A one-to-one extension is difficult, especially since, about 30 years ago, the Supreme Court held that the Constitution affords no privacy protection to personal information disclosed to "third parties.' Under this theory, the government can get your financial records from your bank and your prescription drug records from your pharmacy merely by asking the third party to disclose them, with no notice to you and no opportunity for you to object.
Even 30 years ago, this seemed at odds with people's reasonable expectations. Today, in the digital age, this theory, unless Congress acts, would leave unprotected the vast quantities of information about almost every aspect of your life that are recorded with businesses. The transition to Web-based services and the availability of huge volumes of online storage mean that emails, calendars, travel itineraries, photos, documents, and even drafts never meant to be read by anyone are stored outside the protections of the Constitution. Prof. Kerr agrees that, unless the Supreme Court revisits its "third party records' doctrine, Congress has to respond, as it did in the Electronic Communications Privacy Act of 1986. Prof. Kerr also agrees that some of the protections of that statute are no longer adequate, given the continuing evolution of the networked society. Our dispute is over what further changes are necessary to respond to the flow of information out of the home and onto the Internet.
In my view, one of the most important of the "traditional' Fourth Amendment protections is notice when the government is seeking information about you. (One of the few exceptions would be wiretapping, where the effectiveness of the technique would be obviated if prior or contemporaneous notice were given.) Under ECPA, and under Sections 209, 212, and 220 of the PATRIOT Act, the government can get your records from a third party, without telling you. Without transparency, the government is much more likely to ask for a lot, and the business receiving the order is not likely to want to spend its money defending your privacy.
Section 212 allows the government to tell an ISP that there is an emergency and the ISP can then disclose your email without even a subpoena, let alone a warrant, and never tell you so that you never have an opportunity to challenge the disclosure. Traditionally, when records were stored locally, even if there was an emergency justifying an exception to the warrant requirement, you would normally know of the search of your home or office. At the least, under 212, there should be after-the-fact notice to the person whose email has been disclosed and some opportunity to judge whether the government fairly represented the existence of an emergency.
Section 209 allows the government to use a mere subpoena to get voice mail you have listened to but continue to store with the phone company's voice mail service, again without notice. Notice and an opportunity to object in non-emergency situations would protect against abuse of practices now shrouded in secret.
Secrecy is not necessary in these situations to ensure the success of the investigation: the information is stored with a third party, outside your control, so the government will get it even if it gives you notice.
Jim Dempsey and I agree about a great deal here: I think our area of disagreement is a relatively minor one about means, not a fundamental one about ends.
My own view is that the problems Dempsey identifies can be best addressed in two ways: first, by adding a statutory suppression remedy to the Internet surveillance laws; and second, by bolstering some of the privacy protections for accessed communications under the Stored Communications Act. I have written law review articles urging Congress to make both changes: Lifting the 'Fog' of Internet Surveillance: How a Suppression Remedy Would Change Computer Crime Law, 54 Hastings Law Journal 805-845 (2003) (arguing in favor of a suppression remedy), and A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 George Washington Law Review 1208-1243 (2004) (arguing both for a suppression remedy and for bolstered protection for opened e-mail and voicemail). Both articles are available on Westlaw and Lexis, and can be downloaded for free here.
Jim Dempsey's concerns about notice are serious ones that merit substantial attention. They raise an interesting and difficult question: what right should a person have to know that the government has obtained information about them, either before or after that information has been obtained? The traditional rule in criminal investigations is that notice need not be given. For example, a suspect has no right to know when government investigators subpoena a suspect's phone records, look up their criminal records, open an undercover investigation, talk to the suspect's neighbors, or interview eyewitnesses to the crime. The only major exception is that residents have a right to know when the government has executed a search warrant in that person's home: although there is no absolute right to notice, the usual rule is that the police must leave notice that the search occurred. Under current law, Internet users also have a narrow right to notice when the government seeks to obtain content records from an ISP with less than probable cause.
Should this narrow right be expanded to include other kinds of government access to information stored by Internet service providers? Perhaps, perhaps not. The traditional rule against notice reflects a legitimate government interest: notice tips off the suspect as to the details of the investigation, and that notice can thwart the investigation. Notice can also add a paperwork requirement that ranges from minimal to substantial. At the same time, notice can provide a target with the information needed to challenge the government's procedure. My instinct is that the interest served by the notice requirement is best met instead by a statutory suppression remedy: a suppression remedy would require notice after criminal charges are brought, and permit defendants to challenge the government's procedure at that point. But if Congress does not wish to add a suppression remedy, greater notice requirements at the time of government access to information should be considered.