When Will our Email Betray Us? An Email Privacy Primer in Light of the Petraeus Saga (EFF.org)
Thursday November 15th, 2012
The unfolding scandal that led to the resignation of Gen. David Petraeus, the Director of the Central Intelligence Agency, started with some purportedly harassing emails sent from pseudonymous email accounts to Jill Kelley. After the FBI kicked its investigation into high gear, it identified the sender as Paula Broadwell and, ultimately, read massive amounts of private email messages that uncovered an affair between Broadwell and Petraeus (and now, the investigation has expanded to include Gen. John Allen's emails with Kelley). We've received a lot of questions about how this works--what legal process the FBI needs to conduct its email investigation. The short answer? It's complicated.
The Electronic Communications Privacy Act (ECPA) is a 1986 law that Congress enacted to protect your privacy in electronic communications, like email and instant messages. ECPA provides scant protection for your identifying information, such as the IP address used to access an account. While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider. But obtaining the account's IP address alone does not establish the identity of the emails' sender.
Broadwell apparently accessed the emails from hotels and other locations, not her home. So the FBI cross-referenced the IP addresses of these Wi-Fi hotspots "against guest lists from other cities and hotels, looking for common names." If Broadwell wanted to stay anonymous, a new email account combined with open Wi-Fi was not enough. The ACLU has an in-depth write-up of the surveillance and security lessons to be learned from this.
After the FBI identified Broadwell, they searched her email. According to news reports, the affair between Petraeus and Broadwell lasted from November 2011 to July 2012. The harassing emails sent by Broadwell to Jill Kelley started in May 2012, and Kelley notified the FBI shortly thereafter. Thus, in the summer of 2012, when the FBI was investigating, the bulk of the emails would be less than 180 days old. This 180 day old dividing line is important for determining how ECPA applies to email.
Compared to identifying information, ECPA provides more legal protection for the contents of your email, but with gaping exceptions. While a small but increasing number of federal courts have found that the Fourth Amendment requires a warrant for all email, the government claims ECPA only requires a warrant for email that is stored for 180 days or less.
But as the Department of Justice Manual for searching and seizing email makes clear, the government believes this only applies to unopened email. Other email is fair game with only a subpoena, even if the messages are less than 180 days old. According to reports, Patraeus and Broadwell adopted a technique of drafting emails, and reading them in the draft folder rather than sending them. The DOJ would likely consider draft messages as "opened" email, and therefore not entitled to the protection of a search warrant.
In a nutshell, although ECPA requires a warrant for the government to obtain the contents of an email stored online for less than 180 days, the government believes the warrant requirement doesn't apply for email that was opened and left on the server - the typical scenario for webmail systems like Gmail -- even if the messages are less than 180 days old. So, under the government's view, so long as the emails had been opened or were saved in the "drafts" folder, only a subpoena was required to look at contents of Broadwell's email account.
Confused? Well, here's where things get really complicated. The government's view of the law was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages. As a result, the DOJ Manual notes that "Agents outside of the Ninth Circuit can therefore obtain such email (and other stored electronic or wire communications in "electronic storage" more than 180 days) using a subpoena..." but reminds agents in the Ninth Circuit to get a warrant.
News reports show that the FBI agents involved in the Petraeus scandal were in Tampa, Florida. Thus, according to the DOJ Manual, they did not need to get a warrant even if the email provider was in California (like, for example, Gmail): "law enforcement elsewhere may continue to apply the traditional narrow interpretation of 'electronic storage,' even when the data sought is within the Ninth Circuit."
A subpoena for email content would generally require notice to the subscriber, though another section of ECPA allows for delayed notice, for up to 90 days. The FBI interviewed Broadwell for the first time in September, about 90 days after the investigation began in June.
However, many providers nevertheless protect their users by following the Ninth Circuit rule, and insist upon a warrant for the contents of all email. In EFF's experience, the government will seek a warrant rather than litigate the issue. Thus, assuming the service provider stepped up, it is likely that the government used a warrant to obtain access to the emails at issue.
If a warrant was used, note that a warrant is often quite broad, and the government may well have obtained emails from other accounts under the same warrant. And as result, there's no telling how much email the FBI actually read.
The government is required to "minimize" its collection of some electronic information. For example, under the Wiretap Act, the government is supposed to conduct its wiretapping in a way that "minimize[s] the interception of communications not otherwise subject to interception." This ensures the government isn't listening to conversations unrelated to their criminal investigation.
But when it comes to email, such minimization requirements aren't as strong. The DOJ Manual suggests that agents "exercise great caution" and "avoid unwarranted intrusions into private areas," when searching email on ISPs but is short on specifics. The New York Times reported that FBI agents obtained access to Broadwell's "regular e-mail account." They could have read every email that came through as they investigated the affair. Possibly, the FBI could have read an enormous amount of email from innocent individuals not suspected of any wrongdoing.
And while the Fourth Amendment requires search warrants to be specific and particular, as noted earlier, it's not entirely clear whether the FBI got a search warrant to search Broadwell's email. Even if it did get a warrant, the government has argued that broad warrants are needed in electronic searches because evidence could be stored anywhere. While some courts have pushed back on this broad search authority when it comes to email, many courts still give the government wide access to email and other forms of electronic content.
Sound confusing? It is. ECPA is hopelessly out of date, and fails to provide the protections we need in a modern era. Your email privacy should be simple: it should receive the same protection the Fourth Amendment provides for your home.
So why hasn't Congress done anything to update the law? They've tried a few times but the bills haven't gone anywhere. That's why EFF members across the country are joining with other advocacy groups in calling for reform. This week, we're proud to launch a new campaign page to advocate for ECPA reform. And we're asking individuals to sign EFF's petition calling on Congress to update ECPA for the digital era so that there can be no question that the government is required to go to a judge and get a warrant before it can rummage through our email, online documents, and phone location histories.
We know that major privacy scandals can prompt Congress to get serious about updating privacy law. The Video Privacy Protection Act was inspired by the ill-fated Supreme Court nomination of Judge Robert Bork, after a local Washington reporter obtained Bork's video rental records. And the Foreign Intelligence Surveillance Act was inspired by the findings of the Church Committee, which showed that the FBI had warrantlessly surveilled Dr. Martin Luther King, Jr. and many other activists. If we learn nothing else from the Petraeus scandal, it should be that our private digital lives can become all too public when over-eager federal agents aren't held to rigorous legal standards.
Congress has dragged its feet on updating ECPA for too long, resulting in the confusing, abuse-prone legal mess we're in today. Join EFF in calling on Congress to fix the law.