Petraeus e-mail affair highlights U.S. privacy law loopholes
Because of the wording of an obscure 1986 federal law, the former CIA director -- and the rest of Americans -- receive less privacy protection than we would for love letters stored under a mattress.
If former CIA Director David Petraeus had secretly stashed love letters he exchanged with his paramour at home under his mattress, he might have actually done a better job of protecting his privacy.
Blame federal law for this counterintuitive result. Because it's so easy to dash off an e-mail -- or-- you might think electronic correspondence should receive far greater legal protections and be more difficult for the FBI to read.
Not quite. Because of the way a key federal privacy law was worded in 1986, back in the pre-Internet days of analog modems, floppy disks, and the 2.8 MHz Apple IIgs, e-mail stored in the cloud receives less legal protection than it would if printed out.
For love letters stashed under a mattress, FBI agents would have had to secure a search warrant from a judge to enter Petraeus' bedroom. Perhaps just as important, he would likely have known that his house had been raided. Front doors bashed in with a "Hydra Ram" forcible entry tool tend to make that obvious. So does Rule 41 of the Federal Rules of Criminal Procedure.
But for love letters stored in draft format on Gmail, something that Petraeus and biographer Paula Broadwell reportedly did, the Justice Department claims that police have the right to access those without a search warrant. It says only a subpoena, signed by a prosecutor without a judge's prior approval and without demonstrating probable cause related to a crime, is necessary.
In a legal brief (PDF) filed with a federal appeals court in a previous case, the Justice Department argues that draft e-mail messages aren't in "electronic storage" and therefore "do not" require the FBI to obtain search warrants to peruse them.
Another oversight in the 1986 law, called the Electronic Communications Privacy Act (ECPA), is that you won't even know if police are poking through your e-mail accounts. (Contrast this with the notification requirements for searching bank records.)
Courts have not required police to notify account holders of e-mail searches. In a 2009 ruling (PDF), a federal district judge in Oregon ruled that notifying the Internet or Web e-mail provider was sufficient under both ECPA and the Fourth Amendment. The court's conclusion: the "notice requirement is satisfied when a valid warrant is obtained and served on the holder of the property to be seized, the ISP."
A coalition of groups, which include liberal, conservative, and libertarian non-profit organizations as well as companies, hope to convince the U.S. Congress to update ECPA to bring it into the cloud computing era. (CNET was the first to report on theof this Digital Due Process coalition.)
Corporate members of the Digital Due Process coalition include Amazon.com, Apple, AT&T, eBay, Google, IBM, Intel, Intuit, LinkedIn, Loopt, and Microsoft.
In addition to being drafted for an earlier era, ECPA is notoriously convoluted and difficult even for judges to follow. Members of the coalition also fear the law's wording could slow the shift to cloud-based services unless it's changed to require police to obtain a search warrant to access private communications. (A notification requirement, however, is not explicitly part of the coalition's lobbying efforts.)
In September, Rep. Zoe Lofgren -- a Democrat who represents the heart of Silicon Valley, including the home turf of Apple, Google, and Intel --legislation backed by the coalition that would generally require law enforcement officials to obtain a search warrant signed by a judge before they can access cloud data or location information. Sen. Patrick Leahy (D-Vt.), has .
But the Justice Department has warned that updating that telephone-modem-era law would have an "adverse impact" on investigations. The White House has not, at least so far, taken a formal position on updating ECPA to require search warrants for e-mail or mobile device geolocation data.