From cell phone tower dumps to the NSA's surveillance compound in Utah, the number of tools that government agencies use to obtain and store the communications records of phone and internet subscribers has expanded immensely in the past few years. An article in yesterday's Wall Street Journal focuses on an unnamed phone company in Northern California who, with the help of the EFF, has been fighting since May of 2011 against one method that's particularly alarming in its obscurity. The National Security Letter (NSL), created by statute in the 1980s and expanded greatly in power by the USA Patriot Act in 2001, is a kind of secret subpoena that can give the FBI free reign over an American citizen's cell phone data — including text messages, call logs, location data, and more — without the need for judicial approval or oversight.
If a letter that seizes user data without a court order is a jab against civil rights, due process, and the system of checks and balances, the accompanying gag order is the right hook. Under the invocation of "National Security," such orders forbid service providers from notifying the individuals being targeted.
In the event that the individual discovers that they are a target, they are similarly forbidden from acknowledging or discussing the NSL with anyone but a lawyer. But with the EFF's new case, the FBI is going even further to prevent its unchecked mandates from being scrutinized: the unnamed phone company, in challenging one of the five NSL statutes, was actually counter-sued by the federal government on the grounds that their lawsuit "interferes with the United States' Sovereign interests." The EFF released redacted documents earlier this week revealing details of the case for the first time.
"If I was able to tell you who the target of the letter was and what kind of information was being sought, you would be appalled."
In the Wall Street Journal's report, one targeted individual, a small-time ISP owner named Nicholas Merrill who revealed himself after a successful appeal in 2010, spoke out against the practice. "I feel like if I was able to tell you right now who the target of the letter was and what kind of information was being sought, you would be appalled," he said.
Nearly 40,000 NSLs have been issued in the past year, with the total number of letters sent over the last decade coming in at around 300,000. And although Merrill's case resulted in the NSL provision of the Patriot Act being struck down in court, the ruling has still not been enforced and is pending appeal.
In the meantime, customers continue to ponder where their data ends and third party property begins. At a talk on warrantless police surveillance during the HOPE hacker conference in New York City last week, EFF's Hanni Fakhoury zeroed in on the crux of this old dilemma: because we entrust our private data to third party services as a natural condition of their use, our privacy rights when dealing with heavy-handed law enforcement are almost always completely out of our hands. In addition to the weakened and notoriously out-of-date Electronic Communications Privacy Act of 1986, Fakhoury points to the troublesome "third party doctrine" of the Fourth Amendment, which dictates that a citizen forfeits any rights protecting them from search and seizure when property is given to a third party.
It is essential that "Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy."
The doctrine was invoked recently against Malcolm Harris, the Occupy Wall Street protestor who challenged a subpoena for his Twitter data after being arrested for disorderly conduct on the Brooklyn Bridge last October. (Twitter announced today that it is once again appealing the decision.) However, many agree that the doctrine is showing its age. During the case of United States vs. Jones, where the Supreme Court ruled that warrantless GPS tracking was illegal, Supreme Court Justice Sonya Sotomayor said the doctrine was "ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks." One example of that information is cell site location data, the focus of Fakhoury's talk, which gets left behind as mobile phones connect to cell towers and is frequently accessed by law enforcement without a warrant. Sotomayor has said that when dealing with digital technologies it is essential that "Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy."
Fakhoury notes how in lieu of stronger privacy laws, the common response to complaints over warrantless searches — "if you don't like it, don't use the technology" — amounts to a false choice. And although third parties like Twitter and Google may have fought for users in the past, it would be foolish to believe they will continue to do so without fail.
"I think as of right now, average individuals likely can't put a lot of faith in private companies to protect their data," Fakhoury added in an email. "But as more and more examples are brought to light about companies stepping up for users, hopefully companies will realize this is a good thing from a customer relations/publicity point of view and the number of challenges will increase." In the meantime, Americans simply must demand better data privacy laws. "It's time to re-assess the third party doctrine," Fakhoury said at the conclusion of the talk. "It's going to be the third party doctrine that will determine how this area of the law is going to develop."