Berkman Center for Internet & Society.
BOLD:
Berkman Online Lectures & Discussions

Harvard Law School > Berkman Center > Open Education >

 

PRIVACY IN CYBERSPACE

Intro
Online Profiling
Employees Privacy on the Net
Governmental Collection of Data - Part I
Governmental Collection of Data - Part II
Cryptography and other Self-Help Mechanisms

Module IV -
Governmental Collection of Data - Part I

Assigned Reading:

1. Please read the Introduction to this Module.

The Introduction to Module IV describes the relationship between the Constitutional requirement that the government have probable cause before "searching" an individual's communications, and the statutory frameworks that have been enacted to permit government agents to engage in cybersurveillance. The Introduction focuses on the key features of the Fourth Amendment requirements.

2. Please read the following summaries of relevant statutes (all enacted prior to the the USA Patriot Act):

--Title III of the Omnibus Crime Control and Safe Streets Act of 1968
--The Electronic Communications Privacy Act of 1986 (ECPA)
--Privacy Protection Act of 1980
--The Communications Assistance for Law Enforcement Act (CALEA) (1994)

3. Please read the short summaries of relevant cases in our Library of Cases

4. Articles:

Geoffrey A. North, Carnivore In Cyberspace: Extending The Electronic Communications Privacy Act's Framework To Carnivore Surveillance, 28 Rutgers Computer & Tech. L.J. 155 Rutgers Computer and Technology Law Journal (2002)

Privacy and the Internet: Welcome to the Orwellian World, 11 U. Fla. J.L. & Pub. Pol'y 79 (1999) for a more in depth explanation of the 4th Amendment and ECPA.

Terror's Confounding Online Trail, New York Times Article, March 28, 2002
http://www.nytimes.com/2002/03/28/technology/circuits/28TERR.html?ex=1018333699&ei=1&en=d7b0237f9318b34d

A Trick to Snoop on E-Mail, New York Times Article, http://www.nytimes.com/2001/02/05/technology/05JAVA.html


Optional Articles:

For a more detailed discussion of the Fourth Amendment and the Internet, see The Search and Seizure of Computers: Are We Sacrificing Personal Privacy for the Advancement of Technology?, 48 DRAKE Law Review 239 (2000).

For an in depth discussion of the shortcomings of the Fourth Amendment when applied to search and seizure of email, see Protection of Privacy in the Search and Seizure of E-Mail in the United States: Doomed to an Orwellian Future, 17 Temple Environmental Law & Technology Journal 97 (1999).

Searches and Seizures of Computers and Computer Data, 8 HVJLT 75 (1994)

For more information on Carnivore see:

FBI's pictorial explanation of Carnivore:
http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm

The CDT's Jack Dempsey's testimony before Congress on Carnivore:
http://www.cdt.org/testimony/000906dempsey.shtml

CDT's Carnivore Site, http://www.cdt.org/security/carnivore/

Computer World's Carnivore Site, http://www.computerworld.com/resources/specials/0,4513,RLS1405,00.html

Stop Carnivore Website, http://stopcarnivore.org/


Discussion Topics/Assignment:
Please read through the following hypothetical scenarios and discussion questions. Use the links after each question to submit your thoughts to the discussion board. You should try to seriously consider at least two of the scenarios discussed, but feel free to submit as many additional responses as you would like.

Applications of the Fourth Amendment and Statutes to Cyberspace--Real Cases and Hypotheticals:

1. World Wide Web
Since websites are accessible to anyone, there is no reasonable expectation of privacy for anything posted on a website. Anything posted on a website can be used by the government in an investigation or in court, provided it meets evidentiary standards for admissibility.

2. Chat Rooms
Communications in Internet chat rooms are not deemed private enough to receive Fourth Amendment protection. Writing in a chat room open to the general public is akin to speaking in public. Anyone can overhear what you say so nothing is reasonably private. The courts have determined that even in a "private" chat room (where you can restrict who enters), communications are not sufficiently private to receive Fourth Amendment protection. Since you do not know the other users in the chat room (you only know their usernames), one of the other users in the room could be an undercover agent recording everything you say. Therefore, in a chat room, you do not have an objective expectation of privacy (even if you believe, subjectively, that the chat room is private). See United States v. Charbonneau, 979 F.Supp. 1177 (S.D. Ohio 1997) (optional) for a complete discussion of the Fourth Amendment as applied to chat rooms.

3. Email
For Fourth Amendment purposes, email is treated analogously to letters sent through the U.S. mail. When someone seals an envelope and places it into the mail, they have a reasonable expectation of privacy. That letter cannot be seized by the government without a search warrant founded upon probable cause. However, once that piece of mail is received by the recipient, the recipient controls the letter. The recipient can do anything s/he pleases with the letter, so the sender no longer has a reasonable expectation of privacy. The sender has no standing to object to a government seizure of that letter from the recipient's hands. Email is treated the same way. Without probable cause and a search warrant, the government may not intercept email from the time the sender sends it until it is received. Once the recipient opens the email, however, the government may obtain the email from the recipient, or (using proper process) seize the recipient's copy of the email and the sender has no Fourth Amendment objection. Emails forwarded to large numbers of people also do not get Fourth Amendment protection. See Charbonneau. See United States v. Maxwell, 45 M.J. 406 (1996) (optional) for a discussion of the Fourth Amendment and email.

HYPOTHETICAL A
A pen register is a device that allows the government to determine the phone numbers to which a suspect places calls and those from which he receives calls. Without a warrant or court order, the FBI installs a pen register into Arthur's phone line and records all of the telephone numbers with which Arthur has contact. Has the FBI violated Arthur's Fourth Amendment rights?

(Students should consider whether they think there is a reasonable expectation of privacy in the digits one dials from one's home phone. The Supreme Court has spoken on this issue and its answer is no. [Your answer, of course might be different.] The Supreme Court reasoned that when you place a phone call you essentially tell the phone company (a third party) the digits you are dialing so you have no objective expectation of privacy in the dialed numbers. Therefore there is no constitutional protection for such address information. The Fourth Amendment only protects the contents of communications, not the "communication attributes." However, there are statutory protections (CALEA) that govern pen register use by government agents. [Pen registers, communication attributes, and Smith v. Maryland, 442 U.S. 735 (1979) are discussed in the Introduction to this Module. The cases and statutes are discussed in the Statutory summary and in the Library of Cases.])

HYPOTHETICAL B
Now suppose the FBI has a device like a pen register but for Internet communications. Assume that the FBI installs this device onto Arthur's Internet Service Provider (ISP) server without obtaining a judicial order. In other words, Arthur never sees the FBI, and the FBI deals directly with Arthur's ISP. Using this device, the FBI can now see the "headers" of Arthur's incoming & outgoing emails. The "header" includes significant information such as the IP address of the sender & recipient, (but not the contents of those emails). The FBI can also see the URL addresses of every website Arthur visits. Has the FBI violated Arthur's Fourth Amendment rights? (Note that Arthur's statutory rights may have been violated if no order is obtained.)

(This issue is still up in the air. One argument is that email addresses, IP addresses and URL addresses are no different from telephone numbers. Arthur turns these addresses over to the ISP so the ISP can deliver his email so he has no reasonable expectation of privacy. They are only address information and do not contain content so they do not receive Fourth Amendment protection. On the other hand, email "headers" contains much more content-like information than telephone numbers. In addition to time, address, and location information like IP and URL addresses, an email header contains information about the software used to create the email and the subject line.

Carnivore Case Study
"For the honest good citizen, privacy is extremely endangered and tracking is ubiquitous. But I don't see a sign that we've ever been able to build a system that criminals with serious intent haven't been able to circumvent." [1]

Hypothetical B, of course, is not so hypothetical. The FBI has developed new software, formerly called Carnivore [2], that allows the FBI to "tap" the Internet. This system was designed to assist the FBI with surveillance of electronic communications. Installed into an Internet Service Provider's (ISP) network and controlled by the FBI, Carnivore is intended to distinguish between the communications the government may lawfully intercept (those for which they have a warrant or court order) and those communications the government may not intercept. Carnivore, acting like a "sniffer," searches through all traffic on a network on which it is installed, and not just traffic emanating from a particular computer connection. Carnivore supposedly records only information sent to or from a suspect under surveillance. The information Carnivore records is then viewed by FBI agents. According to the FBI, Carnivore works like a filter, filtering out information not covered by a warrant so that FBI agents only actually see material they are entitled to view.

The FBI, however, has not released detailed information about how Carnivore works so no one is really sure if what the FBI claims Carnivore does is actually true. Since the government, and not ISPs control Carnivore, there is no way of knowing exactly what information gets through the filter and into the FBI's hands. Since Carnivore is installed directly into an ISP's network, the program literally monitors every piece of information that travels across the network. Unlike telephone pen registers (or trap and trace orders), which record and collect information about a single telephone connection, for Carnivore to work properly it must sort through all packets of information that pass through the ISP's server. Early reports, based on the limited information the FBI has released, claim that more information than indicated by the warrant gets through the Carnivore filter and therefore the FBI views more information than it is entitled to.

In addition to the provisions regarding interception of electronic communications and access to stored communications, the ECPA regulates use of pen registers. A pen register is a device that allows the government to determine the phone numbers to which a suspect places calls and those from which he receives calls. To receive a pen register warrant, law enforcement officials must demonstrate that "the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation." This relevancy requirement is a much lower standard than the probable cause requirement necessary to obtain a court order to intercept an electronic communication.

In addition, the Communications Assistance for Law Enforcement Act (CALEA) [http://epic.org/privacy/wiretap/calea/calea_law.html] requires law enforcement officials to obtain a court order to intercept electronic communications. [This Act is discussed in the Statutory Summaries Section.] Such a court order is obtainable only with a showing that there is probable cause to believe that a crime is being committed, that communications about the crime will be intercepted and that the equipment being tapped is used by the suspect in connection with the crime. This standard under CALEA is higher than the standard required by the Fourth Amendment alone, which just requires probable cause that a crime has been committed.

Does Arthur, then, have any claims under the ECPA? Under the ECPA and CALEA, what steps must the FBI take to make their actions legal?

(Arthur clearly has a claim. Under the ECPA, the FBI must get a pen register warrant to install a pen register and by hypothesis they did not do so here. A pen register warrant would make the FBI's actions in part (1) legal. For part (2), it is clear that the FBI needs at least a pen register warrant. However, it has not been decided if a pen register warrant is sufficient to obtain email, IP and URL address information. Since this information is more content like, obtaining this information might require a court order based upon probable cause.)

HYPOTHETICAL C
Assume that Chuck also uses GoNet as his ISP. Chuck is an upstanding citizen who no one believes is, has been, or will be committing criminal acts. The FBI does not have a court order pertaining to Chuck or anyone with whom Chuck exchanges emails. The FBI does, however, obtain a proper court order to install Carnivore to Arthur's email messages. Assume, however, that since Chuck's email messages must go through the same Carnivore filter that Arthur's does, Carnivore necessarily reads at least the headers of all such emails sent or received by Chuck and all of Chuck's neighbors who use GoNet.

Does Chuck have a claim under the ECPA? Has the FBI violated Chuck's Fourth Amendment rights? Does it matter if Carnivore works exactly the way the FBI claims it works (only email to/from those under surveillance gets through the filter and is recorded)? Alternatively, suppose some electronic communications for which the FBI does not have a warrant occasionally get through the filter and are viewed by human eyes?

(The first issue is whether Carnivore itself is a search. This revisits the issue of whether looking at address information is a search. If it is not, then if Carnivore functions the way the FBI claims, it is probably not conducting a search when it filters out packets. If looking at address information is a search, the next question to ask is: Is only the computer program itself, acting like a sniffer and looking at the address information, a search (or do human eyes have to view the address information to make it a search)? This is a key issue that focuses on the relationship between a particular technology and current law. Participants might also discuss what happens if some of Chuck's email messages get through the filter. In such a case, is the FBI is violating Chuck's Fourth Amendment rights because they are intercepting his email and viewing the contents of those emails without a court order based on probable cause?)


HYPOTHETICAL D
Desai has a personal website on which she has posted pictures of herself and her friends. Her website also contains biographical information about herself and links to her favorite websites. Is Desai's website protected under the Privacy Protection Act of 1980 (PPA)? Does it make a difference if Desai's website also contains extensive information about *NSYNC, her favorite band?

Harvard Law School (HLS) has an extensive website. The HLS website contains historical information about the school, information about current classes and professions, the school calendar, online courses and a multitude of other information. Assume for this hypothetical that HLS does not publish any newsletters, newspapers or articles on its website. Does HLS's website receive protection under the PPA?

The Privacy Protection Act of 1980 (PPA) was enacted to protect the freedom of the press. (http://www.privacycouncil.com/maps/UnitedStates/federal/Privacy_Protection_Act.htm)
The original goal of the PPA was to allow reporters to investigate and develop sensitive stories without fear of government interference. Under the PPA, the government cannot conduct a search or seizure of materials from a "publisher" without probable cause. The probable cause standard under the PPA is higher than the usual standard for warrants. The government can only obtain a warrant under the PPA if there is probable cause to believe that the materials sought are themselves involved in the commission of a crime.

Under the PPA, "publisher" is defined as "a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." Online systems that provide publishing services (such as online newsletters) or engage in publishing related activities (e.g., collection of documentary information via email) are protected under the PPA. Whenever a system does qualify as a "publisher," protection under the PPA extends to the entire system, not just the parts of it engaged in the publishing activity. Monetary damages are available as a remedy for violations under the PPA.

(There is no right answer to Hypothetical D. Many websites would appear to fall within the definition of publisher. Websites, like newspapers and broadcast news, provide news and information to thousands of "viewers" worldwide. But what information is newsworthy enough to qualify for PPA protection? How important or of interest to the public must information be to be protected under the PPA? Must it be serious news? These issues, however, have not yet been decided by the courts so it is uncertain whether or not whether websites like Desai's or HLS's would be covered under the PPA. )

Go to Discussion Summary

(Please Note: We will address the use of Carnivore to capture clickstream data in Module V.)

Additional Readings & Resources (optional):

Additional Online Resources:
1. CDT's Government Surveillance Page, http://www.cdt.org/wiretap/
2. EPIC's Wiretap Page, http://epic.org/privacy/wiretap/default.html
3. CDT's Report on Communication and Privacy in the Digital Age, http://www.cdt.org/wiretap/9706rpt.html#one.
a. Good overview of technology that allows wiretapping of electronic communications and the laws that surround the issue.
4. Communications Privacy In the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy, http://www.cdt.org/publications/lawreview/1997albany.shtml
5. US Federal Wiretap Laws as of Jan. 2000, http://www.eff.org/pub/Privacy/CALEA/200001_us_fed_wiretap_laws.html
6. Testimony of James Dempsey before the Subcommittee on the Constitution regarding the "Electronic Communications Privacy Act of 2000," "Digital Privacy Act of 2000," and the "Notice of Electronic Monitoring Act of 2000", http://www.cdt.org/testimony/000906dempsey2.shtml
7. For more in depth discussion of CALEA:

See Privacy and Law Enforcement in the Digital Age, 18-WIN COMLAW 3 (2001) for a more in depth discussion of CALEA.

Is "Big Brother" Listening? A Critical Analysis of New Rules Permitting Law Enforcement Agencies to Use Dialed Digit Extraction, 84 MNLR 1051 (2000), provides a good explanation of pen register laws, but does not discuss application to the Internet.

Online CALEA Resources:
--United States Telecom Association v. FCC, a recent Court of Appeals case regarding interpretation of CALEA, http://www.epic.org/calea/dc_cir_decision.html
--CDT's CALEA Reference Page, http://www.cdt.org/digi_tele/
--CALEA Homepage, http://www.askcalea.net/

Footnotes:

[1] Terror's Confounding Online Trail, New York Times Article, March 28, 2002 http://www.nytimes.com/2002/03/28/technology/circuits/28TERR.html?ex=1018333699&ei=1&en=d7b0237f9318b34d

[2] After what it regarded as a public relations fiasco, the FBI now prefers to call the internet tapping device DCS-1000, but we will continue to use the term Carnivore because although the name was changed the mission remains the same. For more information on Carnivore see:

FBI's pictorial explanation of Carnivore http://www.fbi.gov/programs/carnivore/carnlrgmap.htm
The CDT's Jack Dempsey's testimony before Congress on Carnivore
http://www.cdt.org/testimony/000906dempsey.shtml
CDT's Carnivore Site, http://www.cdt.org/security/carnivore/
Computer World's Carnivore Site, http://www.computerworld.com/resources/carnivore
Stop Carnivore Website, http://stopcarnivore.org/

RETURN TO COURSE HOMEPAGE AND SYLLABUS

 

 

 
Please send all inquiries to: BOLD@cyber.law.harvard.edu

Welcome | Registration | Discussion | Reference |

The Berkman Center for Internet & Society