If attorney general Eric Holder wanted to perform even a momentary Internet wiretap on Fox News' e-mail accounts, he would have had to persuade a judge to approve what lawyers call a "super search warrant."
A super search warrant's requirements are exacting: only as a last resort. Only certain crimes qualify for this technique, the target must be notified, and additional restrictions apply to state and local police conducting real-time intercepts.must be secured and placed under seal. Real-time interception must be done
But because of the way federal law was written nearly half a century ago, Holder was able to obtain a normal search warrant -- lacking those extensive privacy protections -- that allowed federal agents to secretly obtain up to six years of email correspondence between Fox News correspondent James Rosen and his alleged sources.
That legal language has resulted in not only a political flap over the Justice Department's searches of a journalist's private correspondence, but this counterintuitive result: acquiring six seconds of transmitted e-mail requires a super search warrant, but acquiring six years of archived e-mail does not.
Hanni Fakhoury, a staff attorney at the San Francisco-based Electronic Frontier Foundation, says he thinks it would be "great" to extend super search warrant protections to e-mail.
Super search warrants were "enacted specifically because real-time capture of a conversation was a very intrusive surveillance technique," says Fakhoury, a former federal public defender. "As communication has migrated online, and as the people walk around with smartphones that check email instantly, the line between real-time capture of information and accessing it from online storage is becoming more and more blurred to the point it is now almost meaningless."
When super search warrants for live intercepts were created as part of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (PDF), e-mail and the microprocessor had not been invented yet, computers were the size of pickup trucks, and not even science fiction writers were predicting that the contents of cloud storage would become more sensitive than written diaries. Neither ARPANet nor dynamic random access memory chips existed yet, and the , the TRS-80, and the Commodore Pet were nearly a decade away.
Title III of the 1968 law, enacted after congressional investigators found extensive illicit wiretapping by government agencies, initially required super search warrants only for interceptions of "wire" and "oral" communications. It wasin 1986 by the Electronic Communications Privacy Act, or ECPA, to extend the same privacy protections to live intercepts of "electronic" communications -- but not to archived e-mail messages or other confidential documents stored on remote servers.
Orin Kerr, a former federal prosecutor who is now a law professor at George Washington University, says today's situation reflects the fact that even during the 1986 update, storage was so expensive that politicians did not foresee cloud storage of e-mail. Today, according to one estimate, the average Gmail account contains over 17,000 messages. Kerr says:
Our communications laws reflect the technology of the 1980s, when storage was expensive and few communications were stored. At the time, the most invasive surveillance was real-time surveillance because was the only place the communications could be found. But today access to stored communications has become the greater threat. Storage is cheap, so everything is stored. As a result, access to real-time communications is now only a subset of access to stored communications. And that's part of the reason that there are almost no e-mail wiretaps; why bother with all the heightened standards of access when the communications can be accessed in stored form? The hard question is what standard to converge to: Do you converge up, converge down, or meet somewhere in the middle?
By 2013, a rough consensus had emerged among law enforcement, privacy advocates, and judges that traditional, less privacy-protective search warrants are needed before police get to peruse Americans' archived e-mail. The IRS adopted that policy this month (PDF) after disclosures, by CNET, about its internal procedures. Holder took the same position last week, echoing a 2010 saying the Fourth Amendment requires police to obtain traditional warrants for e-mail stored in the cloud.
But the Fourth Amendment's ban on "unreasonable" searches sets only a minimum of privacy protection, not a maximum. Congress has frequently enacted additional privacy protections that go beyond what courts have ruled to be constitutional minimums: The 1980 Privacy Protection Act awarded important privacy protections to publishers. The Taxpayer Browsing Protection Act of 1997 extended additional protections to Americans' tax returns. And super search warrants were, of course, not created by Congress until 1968.
For the Justice Department, obtaining a super search warrant from a judge is far more difficult than obtaining a traditional one. Only senior department officials are permitted to authorize one, compared with any federal prosecutor. The judge must find there is probable cause to believe the intercept will seize the communications, and that alternative investigative procedures are futile or too dangerous.
In 2001, the U.S. Court of Appeals for the 9th Circuit ruled that the FBI's surveillance of a man accused of narcotics trafficking did not meet the legal requirements for a wiretap. The bureau's arguments for not using alternative procedures were "boilerplate conclusions" with "generalized statements that would be true of any narcotics investigation," concluded the court, which forbade prosecutors from using the intercepted communications as evidence.
Title III super search warrants also include a minimization requirement that's not required by federal law for traditional warrants. Minimization typically means the government sets up a human filtering system, in which one person reviews the communications and then hands only the relevant portions -- dealing with likely criminal behavior -- to investigators. (A Department of Justice checklist also requires minimization procedures for intercepted "attorney-client, husband-wife, doctor-patient, priest-penitent" conversations.)
ACLU legislative counsel Chris Calabrese says the FBI's associated with former CIA director David Petraeus and his paramour highlights the need to restrict police to accessing correspondence associated with the crime they're investigating.
"What happens when you start to dig into an email investigation -- what's the end result of that?" Calabrese asks. "They started with one very particular kind of investigation: is this person sending harassing emails? They ended up in a completely wildly different place... It raises some really hard questions that we're not really grappling with yet."
Another difference is that Title III requires that anyone targeted under a super search warrant be notified "not later than ninety days" after the live intercept is completed. The late senator Philip Aloysius Hart, a Michigan Democrat, said during the 1968 debate that "notice of surveillance is a constitutional requirement of any surveillance statute."
Because the Justice Department wasn't required to obtain a Title III intercept order, however, it successfully "fought to keep a search warrant for [Fox News correspondent] James Rosen's private e-mail account secret," the New Yorker reported yesterday.
Rosen apparently did not know his e-mail was seized in 2010 until the Washington Post disclosed it last week. (Fox News Channel president Roger Ailes wrote a letter to employees on Thursday saying: "We reject the government's efforts to criminalize the pursuit of investigative journalism and falsely characterize a Fox News reporter to a federal judge as a 'co-conspirator' in a crime.")
Update May 26 2:00 p.m. PT: The Department of Justice notified News Corp. about the seizure of Fox News' phone records over two years ago, but the parent company did not notify the cable channel, according to a Wall Street Journal report late yesterday.
By contrast, in a 1977 case, the U.S. Supreme Court ruled the FBI needed to follow Title III's notification requirements when the targets in an illegal gambling case had their phone calls intercepted. That notification requirement was designed "to assure the community that the wiretap technique is reasonably employed," the justices said.
The roughly exponential growth in how much storage space is available for the same price, coupled with the demand for e-mail and other stored data to be available on tablets, PCs, and phones, likely means the disparity in privacy protections between stored and in-transit data will become even more glaring.
While police continue to obtain super search warrants for live intercepts of phone calls, they're now less likely to obtain them for e-mail. That's in part because of the routine use of encrypted SSL connections for e-mail -- Googlein 2010 -- and also in part because e-mail is increasingly stored in the cloud. The gradual supplanting of the POP protocol, where messages typically were not left on mail servers and available for law enforcement, by the newer server-based IMAP protocol also encouraged this shift.
Jim Harper, a lawyer and policy analyst with the free-market Cato Institute in Washington, D.C., says the current system allows police to access too much personal information with insufficient safeguards.
"A warrant with enough justification to open a letter taken from a mailbox [also] allows you to open every email the person has sent for the last two years," Harper says. "That's a problem with the warrant issuance process that's real. Do you change the standard or change the administration? I'm inclined toward changing the administration of the process."