Laws That Shape Our Lives: Public Policy Essays

Introduction

Writing about public policy presents a challenge, for the field continually changes. New laws replace old ones, court decisions overturn existing precedents, and the winds of public opinion blow first one way and then the other. So, do not consider the essays in this book as representing some permanent, unchanging state of affairs. In fact, many of the policies examined here have met with substantial resistance in legislatures and courts, both in the U.S. and abroad.

For example, the Myriad Genetics case in Chapter 7 has since been overturned by the Australian High Court on appeal from the federal court decision discussed here. This brings the Australian view of Myriad’s patents more in line with the U.S. Supreme Court’s. Nevertheless, you will find a comprehensive background of that case here, and a deeper understanding of its complex history.

On the other hand, Australia’s policy on tobacco packaging remains intact, and as predicted here, it did lead the pack. Similar policy has recently taken effect in the U.K. at the time of this writing, and it is meeting similar resistance from tobacco companies. Understanding the history of the Australian policy will give you a greater appreciation of how and why these packaging laws are sweeping the globe, nation by nation.

Here in the U.S., the Email Privacy Act passed unanimously in the House of Representatives is now meeting some resistance as it awaits review by the Senate Judiciary Committee. At the time of this writing, the fate of the bill remains uncertain. Both corporations and the general public have called for reforms to the laws governing how federal agencies can access customer data and business data in criminal investigations, so we can reasonably expect a change. But will this new bill be the one?

The FCC’s net neutrality policy examined here has also met resistance, and seen some controversial application to corporate providers of broadband Internet services. While the policy does not appear to be in any immediate danger of going away, it is far from uncontested or unanimously popular.

In the same vein, few policies in the U.S. cause such emotional reactions as that of water fluoridation. Simply mentioning it tends to make people tense up and prepare to argue vehemently. I hope the fact-based research presented here will contribute to a more reasonable and level-headed discussion between both the supporters and detractors of this divisive policy.

Less divisive and perhaps more fantastic is the new realm of policy concerning exploration and mining of resources from asteroids and other celestial bodies. Many people are surprised to hear this once far-fetched topic is now a legitimate field of study for the policy analyst. The U.S. has now addressed property rights as they apply to mineral and other resources extracted from asteroids, and other countries will undoubtedly develop similar policies in the next few years.

So, while it is a challenge to write about the ever-changing realm of public policy, it is also a fascinating opportunity to take an in-depth look at the laws which affect our nation and our world. The big picture of the policies presented here is so big that becoming an expert on any one topic may feel impossible at first. But I hope you find these essays bring you a deeper and broader understanding of how national and international policies shape our lives, our planet, and our future.

Matthew Howard

June 2016

1

Get a Warrant:

Reforming the Electronic Communications Privacy Act in 2016

I. Introduction.

II. The ECPA: Origins and Constitutionality.

Communication Content.

Warrant Requirements.

The Third Party Exception.

Encryption and the ECPA.

III. The All Writs Act and Apple.

Demanding New Software.

Questions of Authority.

IV. H.R. 699 and Reforming the ECPA.

Notifying Investigated Parties.

Stricter Warrant Requirements.

V. Conclusion.

References

I. Introduction.

Encrypted data and user-locked devices present a challenge to federal investigators. In their attempts to access such data and devices in criminal investigations, the FBI and the Department of Justice have obtained warrants and court orders citing existing laws as giving them the authority to access the data. They have also called upon these laws to compel businesses to divulge the encryption keys which not only secure that data but the data of all the companies’ customers. Recently, the FBI has even demanded Apple create new software which would unlock smart phones for them. The requests for court orders have met with mixed response from federal judges who have at times issued the orders and at times denied them. Companies have sometimes complied with these orders and other times challenged them.

The challenges include many legal and business concerns. They range from the ideas of free speech and privacy to the scope of the government’s authority to coerce a business to undermine the data security at the very core of its services. These challenges are not easily dismissed, considering investigators are appealing to laws created long before the modern Internet.

For example, recent court orders involving Apple cited the All Writs Act of 1789. The FBI’s attempt to use this broad law to establish authority over electronic data should come as no surprise considering the resistance Lavabit offered to the FBI’s use of the Pen Register Act. That resistance resulted in contempt of court charges for Lavabit’s owner and the eventual closure of the company (Silver, 2016). The Pen Register Act was created in 1986 as part of the Electronic Communications Privacy Act (ECPA), a decade before the widespread use of email and search engines. Even as amended by the Patriot Act to cover electronic and Internet communications, the ECPA suffers from applying an old way of thinking to new problems. As it currently stands, the ECPA’s constitutionality is questionable for several reasons we will explore.

In April 2016, the House of Representatives took a step to correct this policy by unanimously voting in favor of H.R. 699, the Email Privacy Act. This Act would update the ECPA to require a warrant to access emails and data stored in the cloud. H.R. 699 now awaits a vote from the Senate before going to the President for enactment into law. H.R. 699 potentially solves the questions of constitutionality that arise when federal investigators access stored data without a warrant, and it also sets new boundaries about notifying customers when a service provider has been compelled to disclose the content of customers’ electronic communication.

II. The ECPA: Origins and Constitutionality.

As Title III of the Electronic Communications Privacy Act of 1986 (ECPA), the Pen Register Act was passed by Congress to provide some protection for consumers’ financial records and to regulate law enforcement’s use of pen registers following the landmark privacy cases United States v. Miller and Smith v. Maryland (Lipman, 2014, p. 473). The concept of the pen register comes from the era of pre-Internet telephone communication. A pen register records all the phone numbers dialed from a particular telephone, and a trap and trace device records all numbers that dial a specific phone number (MacArthur, 2007, p. 448). Both of these devices are now governed by the Pen Register Act (West, p. 55).

Communication Content. But while The Pen Register Act originally applied to numbers dialed to and from a specific phone, it was amended to include modern electronic forms of communication. In 2001, the Patriot Act amended it to cover dialing, routing, addressing, or signaling information, including IP addresses and email addressing information (Schwartz, 2009, p. 10). This data does not include the content of emails and communications, and the court’s majority opinion in Smith v. Maryland agreed that pen registers do not acquire the contents of communications (Lipman, 2014, p. 475).

To access the contents of communication, rather than data about it and its users, government agencies can invoke either the Wiretap Act or Title II of the ECPA, the Stored Communications Act. The Wiretap Act of 1968 was updated by the ECPA (U.S. DOJ, 2016). It covers communications in the process of being transmitted, such as a live phone call. But emails are transmitted quickly and are often not a live communication but an asynchronous one. For emails, transmission is the time it takes from clicking on the ‘send’ command to the moment the message arrives at the server of the recipient’s ISP (Schwartz, 2009, p. 11). Therefore, statutory authority to access emails in a criminal investigation often comes from the Stored Communications Act of the ECPA. Law enforcement agencies typically seek collection of email from ISPs [Internet Service Providers] under the Stored Communications Act, which generally has less rigorous requirements than the Wiretap Act (ibid). The rigorous requirement in question is a warrant.

Warrant Requirements. Accessing emails 180 days old or less requires a warrant. But under the Stored Communications Act, opened e-mails stored for longer than 180 days can be accessed by a government official with an administrative subpoena, a grand jury subpoena, a trial subpoena, or a court order (Lipman, 2014, p. 476). Unlike the probable cause requirement for a warrant, court orders merely require an official to show reasonable grounds to believe that the contents… are relevant and material to an ongoing criminal investigation (ibid).

Is the 180-day demarcation arbitrary? At least one Justice Department official believes so, having declared to the House Judiciary Committee there is no principled basis to treat e-mail less than 180 days old differently than e-mail more than 180 days old (Lee, 2013). Google and Yahoo agree, having stated they require warrants for the contents of email messages or user documents stored in the cloud regardless of the Stored Communications Act’s provisions (Lipman, 2014, p. 477). Google has claimed warrantless access to communication content violates the Fourth Amendment, and at least one Circuit Court has agreed (ibid.) The Sixth Circuit Court, in its opinion on United States v. Warshak, argued that where the Stored Communications Act allows the government warrantless access to emails, it is unconstitutional (6th Circuit, 2010).

The Third Party Exception. But questions about the ECPA’s constitutionality go even deeper. In their attempts to access electronic communications and data about them without a warrant, federal investigators have often appealed to the third party exception. This idea arises from the court’s opinion in Smith v. Maryland that individuals have no privacy interest in the information they voluntarily reveal to third parties (Lipman, 2014, p. 475). The court’s ruling has been taken to mean that by voluntarily revealing information to a service provider (the third party) to communicate, users have abandoned a reasonable expectation of privacy about the communication, and such information could therefore be obtained without a warrant.

Justice Marshall’s dissenting opinion in Smith argued to the contrary, calling into question just how voluntary the reveal was to the phone company in this case. How else would a person possibly make a phone call? Marshall wrote, It is idle to speak of ‘assuming’ risks in contexts where, as a practical matter, individuals have no realistic alternative (ibid, p. 480-481). Marshall’s opinion was echoed in Justice Sotomayor’s concurring opinion in United States v. Jones, where she further argued she could not assume all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection (ibid). She quoted Justice Marshall’s dissent in Smith, where he expressed the same sentiments: Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.

As if to further call this third party exception into question, Congress created several laws after the Smith v. Maryland case, all of which contained provisions to protect privacy in some way, especially where telecommunications and banking were involved: the Right to Financial Privacy Act, the 1996 Telecommunications Act, the Pen Register Act, and the Stored Communications Act. Taken as a whole, these statutes enacted by Congress indicate that records released to a third-party have some constitutional privacy value. (MacArthur, 2007, p. 456-457).

Encryption and the ECPA. The scope of the ECPA was further called into question when the FBI invoked it to demand a company’s SSL keys to unencrypt communications data in United States v. Lavabit. In the course of a criminal investigation, the Government obtained court orders under both the Pen/Trap Statute… and the Stored Communications Act (4th Circuit, 2014, p. 4). Lavabit employed two stages of encryption for its paid subscribers: storage encryption and transport encryption (ibid, p. 5-6). In other words, Lavabit’s service encrypted both stored emails and emails in the process of transmission, and the encryption covered not just the contents but non-content data about the emails.

When Lavabit contested the original orders, more court orders were issued until the FBI was first demanding they receive unencrypted data and eventually demanding the SSL (Secure Socket Layers) keys (ibid, p. 9-12). Lavabit used five key-pairs, one for each email protocol it supported, and the Court of Appeals’ decision admits that if even one private key-pair became anything less than private it could affect all of Lavabit’s estimated 400,000-plus email users (ibid p. 7-8). The district court was well aware that the keys would practically enable the Government to collect all users’ data (ibid, p. 17). Lavabit attempted to negotiate these orders with proposals that included limiting the duration of the register’s installation, requesting payments for the unencryption services, and offering to unencrypt certain metadata relevant to the investigation before giving it to the FBI.

But, having had enough of Lavabit’s delays, the Government obtained a seizure warrant from the District Court under the Stored Communications Act which demanded all information necessary to decrypt communications sent to or from (the target’s) Lavabit email account… including encryption and SSL keys (ibid, p. 13). The warrant is important because it sought to clarify something about the court orders which remained in question; namely, did the Pen/Trap Order provide sufficient authority to compel Lavabit to hand over its encryption keys? The district court observed that the Pen/Trap Order’s ‘technical assistance’ provision may or may not encompass the keys, but it declined to reach the issue during the show cause hearing because the search warrant had been issued (ibid, p. 14). The government agreed that it had sought the seizure warrant to ‘avoid litigating [the] issue’ of whether the Pen/Trap Order reached the encryption keys despite having contended that it did (ibid p.14-15).

Lavabit did eventually hand over the keys, first in the form of an 11-page printout containing largely illegible characters in 4-point type and then, at the investigators’ insistence, in an industry-standard electronic format (ibid, p. 17-18). But the process raises the question of whether or not the Pen Register Act’s provision mandating the company provide technical assistance during the register’s court-ordered installation could be broadly expanded to include handing over encryption keys which could render vulnerable the data for all users of the service. The Court of Appeals declined to reach a clear verdict on this question, finding it immaterial to the question