Court Upholds Warrantless Internet Snooping 173
amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.
And what happened (Score:2)
Re: (Score:2, Informative)
Address implies content (Score:5, Interesting)
The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling.
But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.
Re: (Score:2)
But a web address often has a 1-to-1 corespondence with its contents.
Exactly. Knowing the to/from ADDRESS is one thing; knowing the _content_ of the request is another thing. This ruling allows things like:
Yeah. Bad idea.
Re:Address implies content (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Did you expect the next landmark civil liberties supreme court decision to revolve around correspondence between heart surgeons discussing the best way to save the lives of starving African orphans? If civil liberties only apply to people above suspicion in the first place, there's not much point in having them, now, is there?
Re: (Score:3, Interesting)
Often is the key word here. You ignore it in one of your examples (regular mail), but stress it in the other (web addresses). You would not be mailing to Bin Laden often — not any more often, than you would connect to a jihadist web-site to post "terrorists are swine" on it.
I think, the judge is right...
Re: (Score:2)
Re: (Score:2)
It would depend upon HOW they got that info. (Score:3, Insightful)
Exactly.
Now, there are possible ways to get the IP addresses that you connect to WITHOUT getting any more information than that (and such information is just about useless).
But I don't trust the government to put any effort into protecting MY Freedoms and privacy when it is so much easier for them to abuse such.
There is a huge difference between knowing
Re: (Score:2)
Well, for one, they are probably not after people who have antipolitical views, but have much larger fish to fry, like terrorists |) Still, it makes you wonder how you are judged because you can't really tell what the Internet is doing against your reputation, especially if some website is rigged to send data to the wrong places.
On the one hand, given today's connectedness, one might be tempted to build snoop technology just to see if it's safe to go downtown--and does the ruling ok
Re: (Score:2, Informative)
But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.
Heavens I wouldn't want the feds to know I had visited http://mail.google.com/mail/ [google.com] or https://www.paypal.com/us/cgi-bin/webscr?cmd=_acco unt [paypal.com] - then they could figure out all my email and PayPal transactions! Address only implies content for publicly available resources - resources in which you have no reasonable expectation of privacy. If you want to keep something private, stick a login screen in front of it or encrypt it.
As far as your statement that this "search" (which it isn't) is unconstitutional, I
Re: (Score:2)
Unfortunately in an Internet world you need to stamp a return address on every packet you send out in the form of an IP address.
Re: (Score:2)
Don't act like something has been taken away. It hasn't. If anything, it has only been cleared up once and for all. This has been a question that has been out there since Clinton authorized Ec
Re:Address implies content (Score:4, Informative)
They actually realized that a log of IP addresses and a log of URLs are two very different things, and convey different levels of information. This was actually mentioned in a footnote (quoting from the Wired article [wired.com]):
An example is the difference between a log that shows "http://en.wikipedia.org/wiki/Surface-to-air_miss
Furthermore, just because a resource is "publicly available" doesn't mean that there's "no reasonable expectation of privacy." I expect that my Wikipedia browsing habits are between me, my ISP, and Wikipedia (and anyone else snooping on the line), likewise, although my Google searches are sent via GET URLs, that doesn't mean that they're public. (Particularly given that there's no alternative method, at least that I'm aware of, to use most search engines.) Libraries are public, also, but that doesn't mean that everyone's records are public information.
Re: (Score:2)
From the wikipedia article:
Re:Address implies content (Score:4, Interesting)
I'm not a fan of the pen register rule, but this seems like a completely logical and fair expansion of the rule to cyberspace.
Re: (Score:2)
I'm kinda conflicted on this issue. On the one hand, this is an invasion of privacy, just like recording who I send mail to, even if they don't read the contents. On the other hand, I can understand how this would be a valuable tool in law enforcement for things like dru
Especially where... (Score:2)
Re: (Score:2)
So just knowing that I went to a particular webmail URL wouldn't let someone else gain access to it without also knowing my password, or having some other way to snoop the authentication. (Maybe copying
Re: (Score:2)
Not to mention that the "address" of a web page is the IP address or domain name, not the full URL!
Re: (Score:2)
Re:Address implies content (Score:4, Interesting)
Re: (Score:2)
The difference ends in the description.
If I was going to snoop on the contents of an envelope, it would be obvious that it was opened (except in the case of a professional de-sealing, of course).
With the URL of a webpage (or the IP it originates from), it is more akin to a postcard than an enve
Re: (Score:3, Interesting)
Not that I necessarily support the ruling, mind.
Re: (Score:2)
But capturing the POST data (which would have to happen anyway, in the context of the transaction across the routers, through the wire-level sniffers), would certainly have that data.
Again, its like me walking through your house, and saying I only looked at your walls, but not at anything else in your residence, after I opened your door with th
Re: (Score:2)
No, they aren't. Just as dialing a specific phone number may be very indicative of the content of the call, given the person on the other end, the URL and email addresses one is contacting are addressing info. Just because there is some incidental indication of content is not the same as actually searching
Re: (Score:2)
And yes, you do have a bunch of people who don't see this as the end of the world. there are more important things on their minds. When going to the polls, you aren't voting for the best man, you are voting for the lessor of two evils. The best men (women) for the jobs aren't even runni
Re: (Score:2, Insightful)
To me that puts the blame for this entire mess squarely on our shoulders. I saw a great poster the other day that says, "Child prostitutions exists because YOU pay for it." I apply the same rules to spam and politics. The sellers are the serpent. The buyers are the sinners.
Re: (Score:2)
The problem is that if you don't participate, at least with the politics, you end up with worse then you want. You can't stop buying because it directly effects most of us and indirectly effects all of us.
Re: (Score:2, Informative)
But the logs they are looking at are generated by equipment that taps into the wires. And the contents of the logs are not public knowledge, the contents of the second inner envelope are a private matter between a user and their service provider.
They are much more detailed than a list of phone numbers called. They are much more detailed than the address on an envelope.
The logged URL provides more information than the destination address on the packet.
In fact, even knowing that what was sent w
The laws are technologically obsolete (Score:5, Interesting)
For example a wiretap is conceptually, if not legally, tied to telephony. In order to be a wiretap, a communication must have an aural component. Thus intercepting an email being sent over WiFi is not a wiretap, but a VoIP intercept is. Likewise intercepting an email with a voice mail attachment (such as might be generated by a voice mail/email gateway on a system like Asterix) might qualify as a wiretap.
There are provisions for controlling the reading of text messages, but the law is written for a system like the old Telex system, in which the messages are ephemeral,but stored in temporary buffers at various stages of delivery. Thus while intercepting an email in a transfer agent queue is questionable, once it is delivered to your email box at the ISP, it becomes fair game. It is no longer in transit, but stored on a server. In the days of Telex, you'd take your message of the teleprinter, read it, and shred it, knowing that it was gone forever, not recoverable from your mail box or from backup tapes.
The third part of the ECPA laws deals with something called a Pen Register: a device that is attached to an old fashioned phone line to capture the in-band signaling of the phone numbers being called. Even though the privacy concerns for email or web proxy logs are identical, these situations are not covered by the Pen Register Act.
The underlying problem is this: although attempts were made in the laws to make them independent of a specific technology, those efforts failed because US law (unlike EU law) does not recognize a fundamental right to private communication. There are packages of specific rights secured by the Bill of Rights, statutes and common law privacy concerns, but these rights are much less than a true right of private communication. The reason is that you can't have a meaningful right to private communication when that communication is mediated by a third party like an ISP or a telephone company, not unless you have a fundamental right to informational privacy.
Without a right to information privacy, anything that falls into the hands of a third party is fair game. This includes information ISPs or telephone companies store in order to route and deliver a message, up to and including the entire content of the message. ECPA, which consists of the Wiretap Act, the Stored Communications Privacy Act and Pen Register Act, closed these loopholes in its time, but as of today those loopholes are wide open again.
This process will repeat itself forever, no matter how many times we close the loophole, until a fundamental right of informational privacy is recognized. We could do that be adopting into law the EU Data Directive. The reason we don't is that this would hurt US companies which are flourishing by exploiting the America's backwater status when it comes to privacy.
Re: (Score:2)
Now I understand why Americans are screaming about their freedom all the time, it's to convince yourself that you have freedom, which of course is bollocks.
Americans wouldn't know what freedom was if it hit them in the head, but they sure like to brag about their non-existent freedom
Re: (Score:2)
And it's been years since I've set foot in a coffee shop.
Bad conclusion (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
The inquiry is whether you have a reasonable expectation of privacy, that is whether your expectation of privacy is objectively reasonable. The Fourth Amendment prohibits unreasonable searches and seizures, not searches and seizures that offend the most hypersensitive in the population.
Maybe it is the same. But I'm not convinced. (Score:5, Interesting)
That would be analogous to the IP address that you connected to (and maybe the port).
The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.
Encryption. Learn it. Love it. Live it.
Re:Maybe it is the same. But I'm not convinced. (Score:5, Interesting)
Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.
The price of Freedom ... (Score:5, Insightful)
If the worst thing that happens to you is some jail time because you refused to reveal your keys, consider yourself ahead of the game.
Fascism begins when the efficiency of the Government becomes more important than the Rights of the People.
Re:The price of Freedom ... (Score:5, Insightful)
Re: (Score:2)
s/Communism/Terrorism/g
Re: (Score:3)
Possibly. (Score:5, Insightful)
The way I look at it, if you could catch one more "bad guy" a day
Lots.
As opposed to Ben Franklin's:
They'd rather follow Otto Bismark's opinion:
The problem is that it is the Government that chooses what "crime" and what "evidence" will be used to charge a person.
And the Government is composed of people. Sometimes honourable. Many times petty and vindictive if not outright criminals. Which is why our country was founded upon the belief that you cannot trust the Government. That we had to limit the Government's authority and protect the Rights of the People.
It's all about how you view Rights and whether you are with Franklin or Bismark.
Re: (Score:2)
Lovely ideal but the practical considerations of having your life fall apart - job, marriage, family, friends all gone - say hi to your new cellmate who's hobbies include anal penetration of yourself aren't so nice.
Re:Maybe it is the same. But I'm not convinced. (Score:5, Insightful)
Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.
Even in the scenario where you are required to surrender your keys, encryption is still quite useful in the context of this article / warrantless searches. The authorities would need a warrant to make you surrender your keys, and you would know you were being spied upon.
Re: (Score:3, Insightful)
Re: (Score:2)
Re:Maybe it is the same. But I'm not convinced. (Score:5, Interesting)
Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.
Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it?
You mean the United Kingdom. Sadly Scotland is also sucked into RIP silliness.
The police and other law enforcement agencies still need a judicially signed warrant to obtain those keys. There's all sorts of stupidities in there - but let me ask a question: Why should you be able to refuse to obey a properly formed court order? If they served a legitimate court order to hand over they keys to your house, should it be legal to flip them the finger? If you think that encryption keys are somehow immune to warranted seizure, you have to say why. Alternatively, if you think that all court seizure orders are wrong, then you probably have to defend that one even more!
I don't have a problem with warranted search and seizure. I have a huge problem with the LEAs thinking that privacy is solely a cover for people to do evil things.
--Ng
2nd Amendment (Score:3, Interesting)
GP: Until they illegalize it.
PP: Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :
Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it.
Re: (Score:2)
I can't remember all the details, but ISTR that most publically available crypto systems were placed under the EAR (Export Administration Regulations) under the Department of Commerce, rather than the munitions list. The change happened under the Clinton administration, I think.
Anyway, I think the second amendment guarantees
Re: (Score:2)
How about introducing a license to employ encryption. One where the banks and electronic trade organizations covered had a license that covered the end user. Anything done to employ encryption that hasn't been approved by an organization with a license is illegal. That'd make using PGP to send messages illegal f
Re: (Score:2)
Not really. As Ron Rivest illustrated with the winnowin
Re: (Score:2)
You mean like the US president's little habbit of wiretapping without a warrant, or your CIA's little habbit of spiriting people off to foreign countries and holding them without charge for almost 5 years? Or how about the whole thing with the RIAA/MPAA decide
Re: (Score:2)
Not everyone, indeed. Including most judiciaries in the world! :-)
I think most states would treat a password as like the combination to a safe. You cannot be physically tortured into revea
Re: (Score:2)
As I wrote about almost exactly 2 years ago to the day [gnu-designs.com], this is our calling.
How do we answer?
Withhold your keys, indefinitely.
Let them keep asking for them. Keep saying NO! If they jail you for it, go. If they keep asking, keep saying NO.
Stand up for what you know is wrong, and let millions of others do the same.
Remember, we put our government into place to represent our best interests. Wh
Re: (Score:2)
Of course, the government response to such reasoning would probably be to make withholding encryption keys a crime of such magnitude that you'll gladly give in to avoid more time in the pen than any ordinary criminal activity would land you. They justify that kind of abuse because, obviously, if you won't give them your keys you have something to hide, and the more you resist the more s
Re: (Score:2)
Personally (and if you read my blog entry on it), its a cost I'm willing to bear.
What I believe in, and my morals are not subject to compromise.
Re: (Score:2)
That's good. Stay with it, you have the right idea. You just need to convince fifty or sixty million other citizens to think the same way. If you can, why, we'll have a genuine movement on our hands.
Making changes to the way a government works is less a matter of general principle (most Americans believe in what you're saying, I know I do) but of motivation and a willingness to take measured risks. You need to get people en-masse to get up
Re: (Score:2)
Re: (Score:2)
Not quite.
I can generate a key that would take them longer than several lifetimes to crack, and encrypt my data with that. By the time they crack it, assuming they can brute force it, the data they get will be out of date and useless.
Remember, computers are still limited by physics, and we know what the maximum speed is; the speed of the electron.
Re: (Score:2)
At least, at that point, you know it's happening. Someone can't put a gun to your head and demand your passphrase, without cluing you into what's happening. (Well, ok, barring rohypnol or something like that. ;-)
The British system sucks, but at least it keeps [that type of] surveillance "personal." When you force attackers to take active measures to thwart your privacy (i.e. make them make you give up keys, make them do MitM attacks ins
Don't forget all your Little Brothers (Score:2)
One other thing to remember: while governments do tend to be the biggest threat to freedom and happiness, they're not all you have to worry about. Even that UK law only says you have to give your keys to the government, not just anyone who asks. You don't have to give your keys to Google, for example, so that they can scan your emails
Re: (Score:2)
It's not quite that simple. They do have to be able to demonstrate to the court that there was a high likelihood that you were in possession of the key within a reasonable time frame (ie, if you were receiving emails encrypted with that key until yesterday, and responding with emails which were also self-encrypted under that key) then the court might hold that you
Who said the other stuff was right? (Score:2)
The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.
That's a valid point, supported by disturbing evidence. [slashdot.org] What I think they want you to think is that they can require ISPs to keep the information and demand it at any time. TIA was planned before 911 and is largely in place, despite overwhelming popular objections and Congressional disaproval.
There are objections [slashdot.org] to the other practices as well.
Re: (Score:2)
I can't see Comcast or AT&T telling the Feds
More specifically (Score:5, Informative)
Re: (Score:2, Redundant)
Re: (Score:2)
What this is really, is a legal way of labeling everyone on the internet as a p
Re: (Score:2)
Well, from a law enforcement point of view, everyone IS a potential criminal.
However I wish them luck drowning in their ocean of data. And hopefully the false positives will be able to prove their innocence (isn't it supposed to be the other way around?) and avoid going to jail.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Fwiw, I find it odd that this URL/content info which Law Enforcement [within the 9th Circuit, at least] is not allowed to collect without a warrant is routinely collected with impunity by tracking cookies, "transparent" proxies, and so on. If this decision is going to stand, there should be some impact on legislation anti-spyware and private monitoring of internet activity by advertisers and ISPs.
Also, if I understand the situation correctly, e.g. Google already tracks all this information about their us
Great! (Score:2)
Re: (Score:2)
Ninth Circuit (Score:5, Informative)
http://upload.wikimedia.org/wikipedia/commons/thu
Editors, please.
Re: (Score:2)
Misleading Summary (Score:5, Informative)
Still all things considered this seems like the correct rule. Subject lines don't contain that much information and if you are concerned you can just use an unrevealing subject. Moreover, we already contemplate the possibility that someone who happens to glance at the recipients screen might notice the title so it really doesn't seem like we have the same expectation of privacy for the title of the message as we do for the body.
Anyway for a better more interesting discussion about this case you can check out Orin Kerr's comments [volokh.com] over at the Volokh Conspiracy.
How this mess developed (Score:5, Informative)
This mess developed over time.
All this stems from a distinction in wiretap law that goes back to the dial telephone era. Listening to voice requires a warrant, because that info belongs to the parties of the call only. But information used by the telephone company itself to route the call, like dial digits, can be requested from the telephone company. A "pen register" was classically a little electromechanical gadget that recorded dial pulses as dashes on a paper tape. There was no way to extract voice info with a pen register.
Then came Touch-Tone. Now the switching data was in the voice channel. After some court decisions, it was established that listening to the voice channel and extracting tones was OK, if done with "minimal" access to the voice channel.
Over time, this led to the "pen register" exception being extended to content the telco didn't process, including tones sent during a call to third-party services like voice mail, packet headers, E-mail headers, cellular location data, etc. Then came a "lower standard for stored messages", which included SMS messages and E-mail. Then came bulk interception via CALEA. Then the Patriot Act.
/me brags about Canada (Score:3, Informative)
In Canada, the police need a warrant [justice.gc.ca] (CanLII link [canlii.org]) to get a dialled-number recorder placed on someone's phone (though apparently such a warrant is easier to get than a wire-tapping warrant), so extending this to the Internet wouldn't really be all that scary.
I think Quebec's general unwillingness to trust the federal government probably helps a lot here.
Re: (Score:2)
It also helps that Canada doesn't have the Fourth Amendment. The Fourth Amendment only bars unreasonable searches and seizures, and the reasonableness jurisprudence is obviously different than whatever you guys have concocted in Canada from general English common law principles.
So... (Score:2)
http://en.wikipedia.org/wiki/Tor_(anonymity_netwo
and
http://en.wikipedia.org/wiki/GNU_Privacy_Guard [wikipedia.org]
The alternative would be to vote the idiots out of office, but it doesn't seem as if that will happen any time soon.
Re: (Score:2, Insightful)
Re: (Score:2)
individuals making legal decisions that you didn't vote for.
Your elected representatives did.
The problem was, your elected representatives were not paying attention,
were too scared to think straight, and voted for people and legislation in a hasty manner.
An example would be those that voted for the Patriot Act without even reading it.
Article is misleading... here's one from wired. (Score:4, Interesting)
--
Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fields
The Ninth Circuit Court of Appeals ruled Friday in United States vs. Forester that IP addresses and the To/From fields in emails are the legal equivalent of dialed phone numbers and the government can get a court order to obtain them without showing probable cause as would be needed in a search one's house.
The Court extended to the internet a 1979 case known as Smith vs. Maryland, where the Supreme Court found that individuals have no reasonable expectation of privacy in the phone numbers they dial because they transmitted them to the phone company in order to complete the call. However, under Smith, the contents of the calls could not be listened in on without proving probable cause to a judge.
The Ninth Circuit, ruling in an appeal of an Ecstasy-drug ring conviction found that emails' To/From fields and visited IP addresses were the internet's equivalent of phone numbers. For example, the government could get a log that said a person visited to http://66.230.200.100/ [66.230.200.100] (Wikipedia's address). However, the court suggested that knowing full urls are very close to content (e.g. http://en.wikipedia.org/wiki/Ecstasy [wikipedia.org]) and would likely require a higher burden of proof to obtain than mere IP addresses.
From a footnote in the decision:
Professor Orin Kerr questions whether the decision is about getting this information from an ISP or whether it was from a device installed on a computer surreptitiously. He suggests the latter should require a higher standard, but I'm not sure why? Perhaps it's because that might require law enforcement to enter a person's house?
Read the ruling - IP *AND* e-mail addresses (Score:2)
Re: (Score:2)
So what? (Score:2)
If something must remain confidental (source code, thoughts, company plans), it is put onto a server, and a reference sent via email (with GPG signing). The recipient can CERTAINLY go to the web page, where she will be redirected to an SSL page.
As soon as the SSL connection is set up, I use Apache Basic Authentication. Give me a user name and password. And these are reasonably secure. At lea
Everyone ELSE is, why not? (Score:2)
If this stops building from exploding, it's fine with me. It's not like the net's been private for over ten years...
Want something private? Create an ssh tunnel.
The court is missing the point...... (Score:2, Insightful)
This is great news! (Score:3, Interesting)
Great news comes in strange forms sometimes...
Now we can all begin converting our internal infrastructure to using very strong, protocol-based encryption, end-to-end. Bittorrent for http, secure, anonymous, private networks wrapped around our standard applications and more.
Begin now, if you're not using strong encryption.. you should be. Don't let the government WE put into place, tell you what YOU can do with your own Internet time.
If the government we put into place is not representing your best interests, its time to replace them with one that does.
Lock everything down and keep prying eyes out.
Encryption doesn't help much. :-( (Score:2)
It doesn't matter if I say,
"Hey Bob-The-Anarchist, let's go be subversive!"
or
"Hey Bob-The-Anarchist, KJLJALIUHFFLKAJHSLSAUFRGGFGFGJEUCJDKUEUD"
Even if they can't decode the second one, anyone listening still knows I was talking to the "Enemy of the People," Bob.
So, seeing how what's at issue in this article is who you're talking to more than what you're saying, encryption is, unfortunately, not super relevant.
I think the only technical solution here is to use steganography and communicate through
Re: (Score:2)
From TFA: "The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling."
;)
I don't see what all the hoopla is all about. They're not opening the emails or reading any content. At least, they should not be.
Take your foil hats off...
Cheers.
Except that, as far as I know, it's not illegal to post something without a return address on it.
Re: (Score:2)
Also, as stated elsewhere, any web address has a direct relationship to the contents of a web page. This is more information than just a phone number or address on a letter.
Personally, I'm no
Re: (Score:3, Insightful)
Now the feds using their tap into the AT&T bac
Re:Law Reform (Score:4, Insightful)
Be careful what you wish for - the "reform" might not be quite what you wanted, citizen.