Digital Due Process Coalition Proposes Changes to Federal Surveillance Law

March 30, 2010. A newly organized coalition of companies and groups named Digital Due Process (DDP) announced a set of four principles which they argue should be incorporated into the federal statutes that regulate government searches and seizures of stored communications and data.

The coalition stated in a release that it advocates "updating the key federal law that defines the rules for government access to email and private files stored in the Internet ``cloud.´´" There are numerous other issues involving government searches and seizures in the context of new information technologies that the DDP's four principles do not address.

The coalition stated that Jim Dempsey, of the Center for Democracy and Technology (CDT), "has led the coalition effort".

He stated in the DDP release that "The traditional standard for the government to search your home or office and read your mail or seize your personal papers is a judicial warrant. The law needs to be clear that the same standard applies to email and documents stored with a service provider, while at the same time be flexible enough to meet law enforcement needs."

ECPA and Other Statutory Acronyms. The coalition stated that their legislative "recommendations focus on the Electronic Communications Privacy Act (ECPA)".

In 1968 the Congress enacted the Omnibus Crime Control and Safe Streets Act of 1968. Title III of this Act addressed wiretaps in the context of analog telephone networks, and bugs. Title III of the 1968 Act is also sometimes referred to as the Wiretap Act. (There is also a Wire Act, a different statute that deals with gambling.)

In 1986 the Congress enacted the ECPA, Public Law No. 99-508. Title I of the ECPA amended the Wiretap Act, to include "electronic communications", and thereby bring internet based communications technologies within the scope of the statute. Title II of the ECPA is the Stored Communications Act (SCA). It addresses access to stored wire and electronic communications and transactional records. Finally, Title III of the ECPA addresses pen register and trap and trace devices.

These statutory sections have been further amended since 1986, especially by Title II of HR 3162 (107th Congress), the 2001 USA PATRIOT Act, Public Law No. 107-56.

Currently, in the context of intercepts, many relevant definitions are codified at 18 U.S.C. § 2510. The basic prohibition of unlawful intercepts is codified at 18 U.S.C. § 2511. See also, 18 U.S.C. §§ 2510-2522.

The basic prohibition of unlawful access to stored communications is codified at 18 U.S.C. § 2701. See also, 18 U.S.C. §§ 2701-2712.

The rules governing pen registers and trap and trace devices (PR&TTD) are codified at 18 U.S.C. §§ 3121-3127.

PR&TDD is not widely used term. The PR&TTD concept originated with analog voice service over Public Switched Telephone Network (PSTN). Originally, 18 U.S.C. § 3127 provided that a pen register records the numbers that are dialed or punched into a telephone, while a trap and trace device captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted. The 2001 Act expanded the scope of surveillance under pen register and trap and trace authority to include internet routing and addressing information. That is, an e-mail address in the "To:" line of an e-mail message is somewhat analogous to the number dialed in a PSTN voice call.

The DDP's four principles make no reference to the Foreign Intelligence Surveillance Act (FISA), which is codified in Title 50. Although, the same Federal Bureau of Investigation (FBI) engages in the same types of intercepts, and accesses the same types of data, under both Title 18 and Title 50. The difference lies in the government's purported p urposes (law enforcement versus foreign intelligence and terrorism) and the lower burdens that the government must meet when proceeding under Title 50.

Also, the DDP's four principles all address search and seizure by "the government". There is nothing in the four principles, for example, about subpoenas in private litigation.

DDP's Four Principles. The DDP announced four principles, pertaining to government access to documents stored online, device location information, transactional data, and bulk transactional data.

First, "The government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user's private communications or documents stored online."

Second, "The government should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device."

Third, "Before obtaining transactional data in real time about when and with whom an individual communicates using email, instant messaging, text messaging, the telephone or any other communications technology, the government should demonstrate to a court that such data is relevant to an authorized criminal investigation."

Fourth, "Before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect, the government should first demonstrate to a court that the data is needed for its criminal investigation."

DDP's Explanation of Its Four Principles. The DDP elaborated that the first principle, regarding access to data stored online, "applies the safeguards that the law has traditionally provided for the privacy of our phone calls or the physical files we store in our homes to private communications, documents and other private user content stored in or transmitted through the Internet ``cloud´´ -- private emails, instant messages, text messages, word processing documents and spreadsheets, photos, Internet search queries and private posts made over social networks."

The DDP statement of principles does not go on to state that this would mean no searches, seizures, or intercepts, without a warrant, issued by a judge, based upon a finding of probable cause.

Nor does this short statement of principles articulate details about who is entitled to notice (such as the cloud service provider, or the user who stores documents), when notice must be given, and who has standing to challenge such warrants or orders.

The second principle, regarding location information, has become an issue in part because the Federal Communications Commission (FCC) has so strenuously mandated location detection capabilities not only for traditional land line phones, but also for cell phones, and anything with interconnected VOIP capability. Law enforcement and intelligence agencies have pressured the FCC to do this, in part to facilitate location surveillance. The FCC has issued technology mandates, without also protecting the privacy interests of people.

The DDP stated that "This principle addresses the treatment of the growing quantity and quality of data based on the location of cell phones, laptops and other mobile devices, which is currently the subject of conflicting court decisions; it proposes the conclusion reached by a majority of the courts that a search warrant is required for real-time cell phone tracking, and would apply the same standard to access to stored location data."

The third principle goes to transactional data about communications and online services. The DDP stated that "In 2001, the law governing ``pen registers and trap & trace devices´´ -- technologies used to obtain transactional data in real time about when and with whom individuals communicate over the phone -- was expanded to also allow monitoring of communications made over the Internet. In particular, the data at issue includes information on who individuals email with, who individuals IM with, who individuals send text messages to, and the Internet Protocol addresses of the Internet sites individuals visit."

This is a reference to Section 216 of HR 3162 (107th Congress), which which became law on October 26, 2001. See also, story titled "Pen Registers and Trap and Trace Devices" in TLJ Daily E-Mail Alert 296, October 29, 2001.

The DDP added that "This principle would update the law to reflect modern technology by establishing judicial review of surveillance requests for this data based on a factual showing of reasonable grounds to believe that the information sought is relevant to a crime being investigated."

The current standard is that a judge must issue an PR&TTD order if the government asserts mere relevance to a criminal investigation; the judge has no discretion. This is a very low standard.

The fourth principle pertains to government access to bulk transactional data. The DDP stated that "This principle addresses the circumstance when the government uses subpoenas to get information in bulk about broad categories of telephone or Internet users, rather than seeking the records of specific individuals that are relevant to an investigation. For example, there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction."

The DDP stated that "Because such bulk requests for information on classes of unidentified individuals implicate unique privacy interests, this principle applies a standard requiring a showing to the court that the bulk data is relevant to an investigation."

The DDP web site also contains a paper [23 pages in PDF] titled "The Electronic Communications Privacy Act of 1986: Principles for Reform", authored by Beckwith Burr of the law firm of Wilmer Hale.

Due Process. The title "Digital Due Process" is alliterative, and has a ring to it, but it is not descriptive of the purposes of coalition. The coalition is only tangentially advocating due process rights within the meaning of the 5th and 14th Amendments to the U.S. Constitution. Rather, its principles are more in the nature of implementation of 4th Amendment rights in the context new technologies.

The due process clauses provide that the government cannot take away a person's life, liberty or property without due process of law. Numerous procedures must be afforded to the person whose life, liberty or property is targeted. In contrast, the 4th Amendment provides for privacy, and limits and regulates searches and seizures. The DDP is not arguing that government accessing of stored data is a deprivation of property. It is arguing that it is privacy invasive and must be subject to limitations.

Of course, if the government seeks to imprison someone on a criminal charge, and obtains evidence of the alleged crime from a search or seizure that violates the 4th Amendment, then due process entails exclusion of that evidence from use at trial against the defendant. Moreover, violation of those portions of the ECPA pertaining to intercepts can result in exclusion at a criminal trial. See, 18 U.S.C. § 2515. In contrast, violation of those portions of the ECPA pertaining to stored communications and PR&TDDs do not lead to exclusion. The DDP does not now propose to change this. Also, it is the latter two things that are the focus of the DDP principles.

Moreover, the reforms sought by the DDP are directed in significant part at protecting the privacy interests of individuals outside of the context gathering evidence in a particular criminal investigation for purpose of introducing it at trial. The DDP also appears to be concerned about the financial costs imposed upon service providers by burdensome demands placed upon them by the government, which costs might be passed on to consumers.

ACLU. The American Civil Liberties Union (ACLU) is a member of the DDP coalition. It supports the four principles, but also wants the Congress to go further, particularly on the exclusionary rule issue.

The ACLU's Laura Murphy stated in a release that "Our privacy laws desperately need an upgrade ... Technology has evolved at a lightning pace, leaving our privacy protections out of date and ineffective. The Fourth Amendment guarantees us the right to be secure in our ‘papers and effects’ and that means something entirely different in the 21st century. Many of our ‘papers and effects’ are no longer tangible in the same way they used to be but still must be defended from the overreaching hands of government. Congress must step up and make the much-needed changes to the Electronic Communications Privacy Act."

Murphy also stated that "Just as non-electronic information illegally obtained by law enforcement is not admissible in a court of law, the same should be true of illegally obtained electronic information."

DDP Members. The DDP disclosed its members.

No law enforcement or public safety groups are members.

Several key industries are either not involved, and are barely represented. There are no wireless providers (other than AT&T) or trade groups that represent the wireless industry, such as the CTIA, even though the DDP recommendations go to location data held by wireless companies. Loopt, a wireless social mapping service, is a member.

There are no cable companies or trade groups that represent them, such as the National Cable and Telecommunications Association (NCTA). There are no landline phone companies (other than AT&T and the western states CLEC Integra Telecom), or trade groups that represent them, such as USTelecom. There are no companies that make telecommunications or networking equipment, such as Alcatel and Cisco, or trade groups that represent them. There are no companies that make computer, components and mobile devices (other than Intel) or trade groups that represent them.

There are no banks or financial services companies or trade groups. However, eBay, which owns PayPal, is a member.

The list of members include companies that enable people and companies to store their data online, such as Google, Salesforce.com, and Microsoft are members. Notably, Amazon, which offers many cloud based services, is not a member.

The list of members includes many think tanks and advocacy groups involved in IT policy, including the Center for Democracy & Technology (CDT), Information Technology & Innovation Foundation (ITIF), Progress & Freedom Foundation (PFF), Computer and Communications Industry Association (CCIA), and Electronic Frontier Foundation (EFF).

The membership list also includes the ACLU, American Library Association, Americans for Tax Reform, AOL, Association of Research Libraries, Citizens Against Government Waste, Competitive Enterprise Institute, and NetCoalition.

The membership list does not include the Electronic Privacy Information Center (EPIC).