Privacy war heats up between ACLU, DOJ

ACLU, other advocacy groups say 'non-content' surveillance of phone, email and social networking activity is an invasion of privacy

Law enforcement authorities in the U.S. still need a warrant to listen in on your phone calls or to read your emails and text messages. But they don't need your permission or a warrant to track who you call, who calls you, who you text, email or vice versa. Plus, your activities on social media sites like Facebook are also fair game -- all in real time.

And the American Civil Liberties Union (ACLU) said that kind of surveillance of Americans' electronic communications has exploded in recent years. The ACLU contends that even if this monitoring does not include the "content" of those communications, it is yet another invasion of citizens' privacy.

The ACLU's Naomi Gilens wrote in a blog post last week  that documents released by the Department of Justice (DOJ) last week show that between 2009 and 2011, "the number of people whose telephones were the subject of pen register and trap and trace surveillance more than tripled. In fact, more people were subjected to pen register and trap and trace surveillance in the past two years than in the entire previous decade."

"Pen registers" capture outgoing data, while "trap and trace" devices capture incoming data. Decades ago, they were physical devices attached to telephone lines for the covert recording of incoming and outgoing numbers dialed. Today, such interception capabilities are built into call routing hardware.

And that monitoring of data now extends well beyond telephone numbers. "The government also uses this authority to intercept the 'to' and 'from' addresses of email messages, records about instant message conversations, non-content data associated with social networking identities, and at least some information about the websites that you visit," Gilens wrote.

DOJ agencies got 37,616 court orders for information about phone calls in 2011, an increase of 47% over 2009. When Internet and email information requests, the DoJ targeted more than 40,000 people in 2011.

It took the ACLU more than seven months to get information that the DOJ is supposed to submit to Congress every year, starting with a Freedom of Information Act (FOIA) request on Feb. 15. That was followed by a complaint in U.S. District Court on May 23, seeking an injunction to force a half-dozen agencies under the DOJ -- the Criminal Division, Drug Enforcement Administration, FBI, U.S. Marshals Service, Bureau of Alcohol, Tobacco, Firearms and Explosives and Office of Information Policy -- to comply with the request.

[See also: 6 ways we gave up our privacy]

The ACLU argues that the Electronic Communications Privacy Act of 1986 (ECPA) -- now 26 years old -- is in dire need of updating. The current law does not require any court approval on the merits of "non-content" surveillance -- law enforcement must simply certify to a court that the information sought is relevant to an ongoing criminal investigation.

"[That standard is] based on an erroneous factual premise, specifically that individuals lack a privacy interest in non-content information. This premise is false," Gilens argues. "Non-content information can still be extremely invasive, revealing who you communicate with in real time and painting a vivid picture of the private details of your life."

"If reviewing your social networking contacts is sufficient to determine your sexuality, as found in an MIT study a few years ago, think what law enforcement agents could learn about you by having real-time access to whom you email, text, and call," Gilens writes.

The DOJ said in a statement to news media that the the orders are all legal and necessary.

"In every instance cited here, a federal judge authorized the law enforcement activity," said DOJ spokesman Dean Boyd. "As criminals increasingly use new and more sophisticated technologies, the use of orders issued by a judge and explicitly authorized by Congress to obtain non-content information is essential for federal law enforcement officials to carry out their duty to protect the public and investigate violations of federal laws."

But Rebecca Herold, an information security, privacy and compliance consultant who calls herself the Privacy Professor, said treating email addresses, instant messages and other communication details as "non-content" information is, "not only radically outdated, it is contradicted by many existing laws and U.S. regulations.

"For example, HIPAA (Health Insurance Portability and Accountability Act) explicitly names such 'non-content' information items as a type of individually identifiable health information item. A few of these items include telephone numbers; fax numbers; email addresses; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; URLs; and IP address numbers," Herold said.

The ACLU and other advocacy groups including the Electronic Frontier Foundation (EFF) and Digital Due Process (DDP) are pushing for legislation to require better monitoring and reporting of DoJ surveillance and to require more than simple certification to permit non-content surveillance.

The DDP, in a list of "guiding principles," calls for that kind of surveillance to be allowed only after judicial review and a court finding that law enforcement, "has made a showing at least as strong as the showing under 2703(d)."

The 2703(d) provision requires "specific and articulable facts showing that there are reasonable grounds to believe that ... the records or other information sought are relevant and material to an ongoing criminal investigation."

That, said EFF senior staff attorney Lee Tien, means that a judge can decide whether to grant the request based on facts presented. "With a certification, there are no facts presented," he said.

Chris Calabrese, legislative counsel to the ACLU, said there are several bills pending that would address privacy advocates' concerns, including one that would require a warrant for so-called location tracking.

Another, filed in August by Congressman Jerrold Nadler (D-NY) to amend the ECPA would expand the reporting requirements to apply to all federal agencies, as well as state and local law enforcement.

But nobody expects any of those bills to move until after the presidential election. "They're just not going to get a lot of floor time," Calabrese said.

Copyright © 2012 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022