Monday, July 06, 2009

Praise for AT&T's gutsy defense of customer privacy

I'm about to do something I never thought I would do: Praise AT&T for taking a strong stand on privacy by refusing to disclose a customer's communications records to the government without a court order.

Fresh from Wikileaks

On April 30th, a fascinating email showed up on Wikileaks, purporting to be from a Special Agent in the Florida Computer Crime Center, writing to other law enforcement colleagues to complain about his experience in trying to obtain identifying information on AT&T and Yahoo customers.

There is no way to verify the authenticity of the email message, however, a quick Google search reveals that Mike Duffey does indeed work for the Florida Computer Crime Center.

While the email is worth reading in full, I'll summarize it here.

Warning: the details of this case are not very nice -- if you don't think terrorists, drug dealers and pedophiles deserve the benefit of due process and 4th amendment rights, you may want to stop reading now -- or you'll just get angry and or upset.

On June 24, Special Agent Mike Duffey and his team were investigating a tip off regarding a gentleman who had reportedly bragged about molesting his six year old daughter on a Yahoo chat room and via Yahoo instant messenger.

Duffey's colleagues were able to find a MySpace page which listed the same Yahoo account in its contact information, and soon began to try and locate identifying information on several suspects.

First, Duffey's team contacted MySpace, claimed exigent circumstances, and were able to obtain the suspects' subscriber information and 30 days worth of historical IP address information, revealing the Internet address where the suspects had used to access their MySpace accounts. MySpace responded to Duffey's request within 20 minutes, and within 45 minutes had provided the agents with all the information they requests, all without requiring a subpoena or any other form of court order. The police simply claimed that this was a case of life or death, and MySpace handed over the information, no questions asked.

Second, Duffey's team contacted Yahoo in order to try and learn which IP addresses were used during the alleged chat room confession. Yahoo took three hours to respond to Duffey's request, at which point, the company rejected the "exigent circumstances" argument. In a follow-up conversation with Yahoo employees, Duffey was told that the company would be unable to provide any IP address information until 48 hours after they occurred. A further seven hours later, Yahoo provided 48 hour old IP address information, which, like the MySpace logs, pointed to an AT&T customer as the source.

Third, Duffey's team then contacted AT&T, who like Yahoo, refused his attempt to claim exigent circumstances. AT&T told him that they would not provide any information without a subpoena, which in Florida, must be issued by a court clerk.

Seven hours after initially contacting AT&T, Duffey obtained a subpoena, after which, AT&T immediately provided him with the name and address of the customer whose IP address had shown up in the most recent MySpace logs.

Two hours later, the suspect was arrested at his home, and quickly confessed.

Analyzing the law

The Electronic Communications Privacy Act strictly regulates service providers' sharing of customer information the government.

As Susan Brenner has described in greater depth:
18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”...

8 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”.

The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

So essentially, by claiming exigent circumstances, Special Agent Mike Duffey gave MySpace, Yahoo and AT&T the legal protection to voluntarily disclose their customer's information to the police.

MySpace jumped at the opportunity to share this data, Yahoo spun its wheels before eventually coughing up some data, while AT&T ultimately refused, as it was legally permitted to do so. That is, while the exigent circumstances enable an ISP to voluntarily share data on their customers, § 2703 still prohibits the government from compelling the production of customer records without a court order. Until the government produces a subpoena, the ISP can always lawfully say no.

Exigent Circumstances

Why should AT&T refuse to provide critical information to police in what is clearly a life and death situation involving a small child and a pedophile?

Well, it turns out that law enforcement doesn't have the best track record when it comes to its use of exigent circumstances. As the EFF's Kurt Opsahl described back in 2007:
We already knew that the FBI’s use of “exigent circumstances” letters was illegal. DOJ’s Inspector General Fine already condemned them in a well-publicized IG report that outlined how hundreds of requests were made where there was no immediate danger of death or serious physical injury and, in any event, “the letters did not recite the factual predication necessary to invoke [the emergency] authority.”
Now I'm sure that in this case that the Florida police were telling the truth. However, in the past, both local police and federal law enforcement officers have been repeatedly caught fudging the truth in order to obtain these so called exigent circumstances. Furthermore, there is a fairly large body of case law in which police put people's lives at risk in order to create exigent circumstances -- in such cases, the courts have rightfully thrown out the searches.

AT&T is likely going to take a lot of heat for refusing the exigent request if and when it hits the news. Who knows, perhaps that is the reason this email was leaked in the first place.

It is thus important that members of the privacy community rally around AT&T and support the company for its legally justified insistence upon a court order in this case, no matter how much we all continue to detest AT&T's completely illegal in the NSA warrantless wiretapping program.

Perhaps subpoenas take an excessive amount of time to get. Certainly, it took the officers in this case more than 7 hours in order to obtain theirs. I am sure there would be no objection to speeding up this process -- perhaps by allowing police officers to submit their requests to the clerk of the court via a special website, for example? There is no reason why inefficiencies and wasted time in the subpoena process cannot be eliminated -- rather than permitting police to simply ignore the process altogether and claim exigent circumstances.

In this case, the police waited more than three hours for Yahoo to respond to their initial request -- which, if the system worked, should be more than enough time to obtain a subpoena.

Shining the light on a shadowy practice

Those of you who might be shocked by MySpace's total willingness to disclose customer records without a court order should not be -- it is quite possibly the norm in the industry.

While it is not known to the general public, practically every Internet company gets requests, daily, from law enforcement agents wishing to dig up information on that company's customers. In order to deal with these requests, these firms all have "legal compliance" departments, some of which are open 24 hours a day, 7 days per week. A full list of these can be found here.

Of course, these firms don't like to discuss the fact that they routinely disclose their customer's private information to law enforcement. See, for example:

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act ("ECPA")
protects customer records and the communications of customers of online services."

“Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.”

Q: How many subpoenas for server log data does Google receive each year?
A: As a matter of policy, we don’t provide specifics on law enforcement requests to Google.

Facebook is the only company to even discuss the topic and provide ballpark numbers, telling Newsweek just a few weeks ago that the company receives between 10-20 requests from police every day. That is, somewhere between 3600-7300 requests per year.

Wolves watching the sheep

Who is responsible for judging the requests for customer information from law enforcement, in order to determine if they are appropriate, lawful and do not request excessive information?

In many cases, it is former law enforcement agents and prosecutors.

The Chief Security Officer at MySpace, Hemanshu Nigam, is a former deputy district attorney from Los Angeles County, where he specialized in child exploitation and rape prosecutions.

Who is Google's new Senior Counsel in charge of Law Enforcement and Information Security? Richard Salgado, a former Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice.

What about Google's Privacy Counsel? That would be Jane Horvath, formerly the Chief Privacy Officer at the US Department of Justice under Alberto Gonzales,

What about Microsoft? The company's Senior Director for Global Criminal Compliance, Online Services Security & Compliance is Susan Koeppen and like Google's Salgado, she was formerly a Senior Attorney at Computer Crime and Intellectual Property Section of the United States Department of Justice.

This is not to say that these companies do not follow the law -- I am sure they follow it to the letter. Merely that when the police and FBI call up these companies to request customer information, the person on the other end of the phone is often very sympathetic to their point of view -- because often, they are former colleagues.

While there are certainly former staffers from the Electronic Frontier Foundation and other public interest groups working for Google and some of the other firms, you can bet your bottom dollar they are not let anywhere near sensitive issues like subpoenas, search warrants and national security letters where the companies might not be as pro-privacy as it they like people to believe.

Facebook is perhaps the only company to break from this norm -- by hiring a "privacy hawk" and former ACLU lawyer to be the company's point man on privacy issues.

A need for transparency

While it is clear that all Internet companies receive requests, what is unclear is the way they respond to them -- that is, do Google and Microsoft voluntarily disclose data whenever law enforcement officers claim exigent circumstances, or do they, like AT&T, push back and demand a subpoena?

The policy approach taken to these situations likely depends upon the people receiving and responding to the requests...and as I described above, they are often former colleagues of those agents who are attempting to circumvent the requirement for a subpoena in the first place.

What we need, desperately, is transparency. All Internet companies should follow Facebook's lead, and provide at least some aggregate numbers on the number of requests that they receive every year from law enforcement agents.

Furthermore, they should disclose how many of those requests the companies provide the relevant information without first requiring a subpoena or court order, and instead voluntarily disclose it after receiving an exigent circumstances letter.

We need transparency, and we need it now.

(H/T to Pogowasright for first spotting the letter on Wikileaks.)

Disclosure: I haven't discussed this case with anyone from AT&T nor have I ever received any funds from the company.

4 comments:

Anonymous said...

Great post. I'd be interested to hear from someone involved in law enforcement about the procedures for obtaining a subpoena and why this process might take more time than is desirable. I am wondering how much can be contributed to inefficiency vs. workload vs. whatever else may be involved.

Anonymous said...

I read Mike Duffey's email when it was posted on Wikileaks.

Didn't you find the gamma, spelling and construction a bit strange?

Maybe I expect better articulation and use of language from law enforcement, but I read the 'leak' and laughed.

There isn't even an email address or domain name on the material.

Anyone can google the name of a 'special agent' and start writing things up.

Strangely no one has officially commented to state if any of the content is true at all.

I think someone is having a really good giggle out there!

Anonymous said...

Hi. The "fascinating email" link is wrong. Cheers.

Anonymous said...

Brian

I'm a detective with local law enforcement and frequently have to deal with these issues during my investigations. In the state where I work our subpoena's are issued by Grand Juries. In my county the Grand Juries are convened on Tuesdays and Thursdays, during business hours. So basically if I am investigating a fluid crime or criminal event and it doesn't fall on one of these days, I am screwed. Even if it did fall on one of those days, by the time I get in to testify and the clerk spits out my subpoena I'm looking a few hours.

Generally we just count on these records being of no immediate use to us in criminal investigations because of the lag time. We accept this as part of doing business, after all these records DO belong to the companies and their customers and we are the ones asking for help. I have to admit there are times that it chafes though. If I were working the case cited here in this blog I would find it very hard to sit and wait for these records, as every hour that goes by is another in which this girl may be victimized.