Is Einstein Reading Your Email for the Government?

Posted on September 25, 2009 by Kevin Whitaker

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. - Justice Louis Brandeis (1928)

A recent ABA Journal article on privacy law (Feds Can Monitor Personal E-Mail Sent Privately to Gov’t Workers, DOJ) began as follows:

You might think that a private-mail sent to another U.S. citizen's personal account isn't subject to government monitoring. But that assumption could be wrong if the recipient is a federal government employee.

Both recipients and senders have no reasonable expectation of privacy if an e-mail is opened by a federal employee logged into a work computer network, according to an Aug. 14 legal opinion from the U.S. Department of Justice that was released Friday.

The Memorandum (PDF file) begins,

Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws.

The Memorandum “briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system.” The arguments presented are basically:

  1. There is no "search" under the 4th Amendment;
  2. If there is a "search", then it is reasonable; and
  3. Federal laws trump any state laws.

The central premise of the Memorandum is this, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet, the deployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each agency participating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements, or their substantial equivalents.

The government's position (which methinks goes too far) is summarized below.

No Search Under the 4th Amendment

The government argues there is no search for Fourth Amendment purposes because “the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of Government-owned information systems…."

[Further]… individuals in the private sector who communicate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through Government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency.

… By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the Government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a Government-owned information system for any “lawful purpose,” including the purpose of protecting federal computer systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the Government to intercept, monitor, and search any personal use of the employee’s Government-owned information systems has no Fourth Amendment right against the Government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity.

The Memorandum goes on to say this applies even when the email was sent to the employee’s non-governmental or personal account. When the,

sender of an email to an employee’s personal, Web-based email account (such as Gmail or Hotmail) does not know of the recipient’s status as a federal employee or does not anticipate that the employee might read, on a federal Government system, an email sent to a personal email account at work or that the employee has agreed to Government monitoring of his communications on that system. A person communicating with another assumes the risk that the person has agreed to permit the Government to monitor the contents of that communication.

But if it is a "Search," then it's Reasonable anyway

The Memorandum argues, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, …those operations would be consistent with the Amendment’s “central requirement” that all searches be reasonable [because] the Government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements."

State Privacy Laws vs. The Supremacy Clause

The Memoradum’s final argument is the EINSTEIN 2.0 program does not run afoul of state wiretapping or communication privacy laws due to Supremacy clause.

To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above, they would “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause.

What do you think? Do you buy the argument that if you send an email to a government employee's private gmail or yahoo account, then the government may have the right to read the email?

Preceding the last presidential election, Condoleezza Rice was apologizing to presidential candidates for government intrusions into their private passport records. President Obama, a candidate at the time, called for hearings on the matter. Watergate, Hoover, and McCarthyism should remind us as to what ends government intrusions into personal privacy can have. Deeper historic reflections illuminate this point even more. Benjamin Franklin, offered, "they who would give up an essential liberty for temporary security deserve neither liberty nor security." Of a more local flavor, Boston's Samuel Adams, stated:

Driven from every other corner of the earth, freedom of thought and the right of private judgment in matters of conscience, direct their course to this happy country as their last asylum.

Tags: , , , , , , , ,

Keylogging for Evidence

Posted on May 19, 2009 by Kevin Whitaker

In my recent post, Encryption and the Right to Maybe Remain Silent, I discussed the government's efforts to obtain encrypted evidence on a laptop. The issue was whether an individual can be forced to decrypt incriminating information. While this area of law has many new questions, there's always more than one way to skin a cat.

Even in cases, where a encryption was not ordered, the government may have taken actions to find encryption keys through a keylogger (which records keystrokes) or other devices. Declan McCullagh discussed this in his 2007 cnet post, Feds use keylogger to thwart PGP, Hushmail -

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.
Tags: , , , , ,

Encryption and the Right to Maybe Remain Silent

Posted on May 15, 2009 by Kevin Whitaker

If data is encrypted, can the police force you to decrypt it or provide them with an unprotected copy? What about self-incrimination and abrogating one's right to remain silent? 

The U.K. appears to have addressed this question more frequently than in the U.S. with the U.K. often requiring individuals provide access to encrypted materials. Here are some examples:

Failure to hand over either cryptographic keys or data in a decrypted form that resides in the UK on is hosted on UK servers and affects a police or military anti-terrorism investigation could now cost the data holder up to five years in prison. All other failures to comply can lead to a maximum two-year sentence.

But the law does not authorise the government to intercept encrypted materials in transit on the internet via the UK or to attempt to have them decrypted under the auspices of the jail time penalty.

The Court of Appeal has said, though, that an encryption password is not in itself incriminating information and that both it and the information on the computers exist outside of and independent of the men. It said they do not have the right to refuse to divulge the keys.

The Federal Evidence Blog, discusses a U.S. case, In re Boucher,  in its post, Compelling Access to Encrypted Laptop where the court ultimately required an unencrypted computer be provided to law enforcement officials.

Fifth Amendment Privilege was not violated by compelling the defendant to provide an unencrypted version of his laptop drive ... to the government, in In re Boucher, (D.Vt. Feb. 19, 2009) (No. 2:06-mj-91) (2009 WL 424718) (unpublished) ("Boucher II") PDF

The court's decision in Boucher, however, may only apply to the unique facts in that case and not more generally. Until a body of law has emerged, there is likely to be a continued case-by-case analysis applied in encryption issues.
Tags: , , , ,

Family Relationship Not Enough for Search or Detention and No Qualified Immunity for Officers if Ignored

Posted on May 6, 2009 by Kevin Whitaker

A three member U.S. District Appeals Court for the District of New Mexico finds a familial (family) connection to a suspect supports neither probable cause for a search warrant, nor reasonable suspicion for an investigative detention of a relative. Further, officers who get this wrong can't raise "qualified immunity" as a defense in a § 1983 lawsuit.

This case demonstrates the difficulties that often arise between police powers and individuals' privacy rights. Those who favor broader police powers will decry this ruling and argue it will have a chilling effect on law enforcement. Alternatively, others will celebrate a ruling which recognizes individuals' protections from unreasonable search and seizures (due primarily to a familial relationship) and that also gives these rights a civil remedy which has some teeth.

In this case (PDF here), officers obtained a warrant and ordered the search of a murder suspect's in-laws' property. Later, officers also stopped the suspect's sister-in-law in an investigative detention. The court held the officers actions in both cases violated the in-laws' Fourth Amendment rights and ruled,

we hold that a familial relationship is insufficiently particularized to justify invading an individual's reasonable expectation of privacy. ... Applying this rule to the present case, we conclude that the...status as...in-laws, combined with the meager additional facts..., were insufficient to support a finding of either probable cause to search the property or reasonable suspicion to detain [the sister-in-law.]

The officers unsuccessfully argued, in part, the search of the in-laws' property was constitutional because it was authorized by a warrant supported by probable cause. In a 2-1 split, the majority disagreed and found because these Fourth Amendment principles were clearly established, the intrusions were unreasonable. Further, the majority held the officers are not entitled to raise qualified immunity as a defense to the in-laws' civil suit against them. Justice O'Brien, dissenting, stated,

Regrettably, I can find comfort in no part of the majority opinion.

In support of the officers actions, O'Brien argues,

[a] law trained judge found the affidavit sufficient to establish probable cause and issued the warrant....
...
Qualified immunity seeks to...[shield] officers from damages liability for the performance of their discretionary functions so long as their actions are objectively reasonable in light of the clearly established law at the time of their actions....That standard "gives ample room for mistaken judgments," protecting "all but the plainly incompetent or those who knowingly violate the law."

The majority dismissed the dissent's arguments and found the officers could be liable in a § 1983 claim because they had a duty to exercise professional judgment objectively and despite any approval by a judge,

employ[ing] a reasonable process in seeking the warrant" does not relieve officers of their constitutional duty to "exercise their own professional judgment" as to the existence of probable cause.

SUMMARY

U.S. District Appeals Court for the District of New Mexico finds:

  1. "A familial relationship to someone suspected of criminal activity, without more, does not constitute probable cause to search or arrest."

  2. Officers failing to heed this interpretation may be subject to civil liability under a § 1983 lawsuit without the protection of a "qualified immunity" defense.

 
Tags: , , , , , ,