The US government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified.
The latest twist: A secret court order made public by the Guardian newspaper on Wednesday shows that the FBI has successfully requested call “metadata” — including the time, duration and location of phone calls, though not what was said on the calls — under provisions of the Patriot Act. Signed by senior federal Judge Roger Vinsonon April 25, the order directs Verizon Business Network Services to provide all call information to the National Security Agency each day for a three-month period.
Whether such sweeping surveillance requests should be allowed under the Patriot Act is a matter of heated debate in Congress. Sen. Dianne Feinstein, D-Calif., who chairs the Senate Select Committee on Intelligence, suggested on Thursday that Vinson’s order was just a regular renewal of surveillance that’s taken place for years. But disclosure of the order also prompted calls to rein in the practice, including from Sen. Richard J. Durbin, D-Ill., the No. 2 Democrat in the Senate. On another front, two senators introduced legislation in March to bolster privacy protection for emails; action is pending.
Against that backdrop, here’s a look at how law enforcement can track you without a warrant:
PHONE RECORDS: Who You Called, When You Called
How they get it. Listening to your phone calls without a judge’s warrant is illegal if you’re a U.S. citizen. But police don’t need a warrant — which requires showing “probable cause” of a crime — to get just the numbers you called and when you called them, as well as incoming calls, from phone carriers. Instead, police can get courts to sign off on a subpoena, which only requires that the data they’re after is relevant to an investigation — a lesser standard of evidence. The FBI can also request a secret court order for phone records related to an international terrorism or spying investigation without showing probable cause. A recent court order obtained by the Guardian newspaper shows that the FBI requested all phone records over a three-month period from Verizon Business Network Services in April. Sen. Saxby Chambliss, a Georgia Republican and the vice chair of the Senate Intelligence Committee, suggested that such court orders were routine. “This is nothing particularly new,” he said at a news conference with Sen. Dianne Feinstein, the Intelligence Committee’s chairwoman. “This has been going on for seven years under the auspices of the FISA authority, and every member of the United States Senate has been advised of this.”
What the Law Says. Police can get phone records without a warrant thanks to Smith v. Maryland, a Supreme Court ruling in 1979, which found that the Constitution’s Fourth Amendment protection against unreasonable search and seizure doesn’t apply to a list of phone numbers. The New York Times reported last November that New York’s police department “has quietly amassed a trove” of call records by routinely issuing subpoenas for them from phones that had been reported stolen. According to the Times, the records “could conceivably be used for any investigative purpose.” The Foreign Intelligence Surveillance Act, which Congress expanded in 2001 when it passed the Patriot Act, also allows the FBI to apply for a court order to get “any tangible things (including books, records, papers, documents, and other items),” including phone records. For example, the court order obtained by the Guardian covers all records from April 25 to July 19, which Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, said was much more expansive than a typical warrant or a subpoena. “I’ve never seen a subpoena that broad,” he said. The order covers “telephone metadata … for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.”
LOCATION DATA: your phone is a tracker
How they get it. Many cell phone carriers provide authorities with a phone’s location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smart phones. The major cell carriers, including Verizon and AT&T, responded to at least 1.3 million law enforcement requests for cell phone locations, text messages and other data in 2011. Internet service providers can also provide location data that tracks users via their computer’s IP address — a unique number assigned to each computer. The FBI can also apply for a court order to location data relevant to an international terrorism or spying investigation under FISA in the same way it requests other phone records.
What the law says. Many courts have ruled that police don’t need a warrant from a judge to get cell phone location data. They only have to show that, under the federal Electronic Communications Privacy Act (EPCA), the data contains “specific and articulable facts” related to an investigation — again, a lesser standard than probable cause. Delaware, Maryland and Oklahoma have proposed laws that would require police to obtain a warrant for location data; Gov. Jerry Brown of California, a Democrat, vetoed a similar bill last September. Last year, the Senate Judiciary Committee approved a bill championed by Sen. Patrick Leahy, a Vermont Democrat, which would have updated the ECPA but wouldn’t have changed how location data was treated. Leahy and Sen. Mike Lee, a Utah Republican, introduced a similar bill last month, which remains in committee. Rep. Zoe Lofgren, a California Democrat, introduced a separate bill in the House of Representatives in March that would require a warrant for location data as well as emails.
IP ADDRESSES: what computers you used
How they get it. Google, Yahoo, Microsoft and other web mail providers accumulate massive amounts of data about our digital wanderings. A warrant is needed for access to some emails (see below), but not for the IP addresses of the computers used to log into your mail account or surf the Web. According to the American Civil Liberties Union, those records are kept for at least a year.
What the law says. Police can thank U.S. v. Forrester, a case involving two men trying to set up a drug lab in California, for the ease of access. In the 2007 case, the government successfully argued that tracking IP addresses was no different than installing a device to track every telephone number dialled by a given phone (which is legal). Police only need a court to sign off on a subpoena certifying that the data they’re after is relevant to an investigation — the same standard as for cell phone records. FISA also allows the FBI to apply for a secret court order to get “any tangible things (including books, records, papers, documents, and other items)” relevant to an international terrorism or spying investigation. It is unclear whether IP addresses are considered “tangible things.” The Foreign Intelligence Surveillance Court has issued legal opinions on how to interpret the law, but those opinions are classified.
EMAILS: messages you sent months ago
How they get it. There’s a double standard when it comes to email, one of the most-requested types of data. A warrant is needed to get recent emails, but law enforcement can obtain older ones with only a subpoena. Google says it received 16,407 requests for data — including emails sent through its Gmail service — from U.S. law enforcement in 2012. And Microsoft, with its Outlook email service, disclosed last month that it had received 11,073 requests for data last year. Other email providers, such as Yahoo, have not made similar statistics available. In January, Google said that it would lobby in favor of greater protections for email.
What the law says. This is another area where the ECPA comes into play. The law gives greater protection to recent messages than older ones, using a 180-day cut-off. Only a subpoena is required for emails older than that; otherwise, a warrant is necessary. This extends to authorities beyond the FBI and the police. IRS documents released in April by the American Civil Liberties Union suggest that the IRS’ Criminal Tax Division reads emails without obtaining a warrant. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would require a warrant for the authorities to get all emails regardless of age. The Justice Department, which had objected to such a change, said in March that it doesn’t any longer. As with IP addresses, it’s unclear whether emails are considered “tangible things” under the FISA, which would let the FBI request a secret court order for ones deemed relevant to international terrorism or spying investigations.
EMAIL DRAFTS: drafts are different
How they get it. Communicating through draft emails, à la David Petreaus and Paula Broadwell, seems sneaky. But drafts are actually easier for investigators to get than recently sent emails because the law treats them differently.
What the law says. The ECPA distinguishes between communications — emails, texts, etc. — and stored electronic data. Draft emails fall into the latter, which get less protection under the law. Authorities need only a subpoena for them. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would change that by requiring a warrant to obtain email drafts. Like IP addresses, it’s unclear whether email drafts are considered “tangible things” under FISA, which would let the FBI request a secret court order for ones deemed relevant to international terrorism or spying investigations.
TEXT MESSAGES: as with emails, so with texts
How they get it. Investigators need only a subpoena, not a warrant, to get text messages more than 180 days old from a cell provider — the same standard as emails. Many carriers charge authorities a fee to provide texts and other information. For texts, Sprint charges $30, for example, while Verizon charges $50.
What the law says. The ECPA also applies to text messages, according to Fakhoury, which is why the rules are similar to those governing emails. But the ECPA doesn’t apply when it comes to actually reading texts on someone’s phone rather than getting them from a carrier. State courts have split on the issue. Ohio’s Supreme Court has ruled that police need a warrant to view the contents of cell phones of people who’ve been arrested, including texts. But the California Supreme Court has said no warrant is needed. The U.S. Supreme Court in 2010 declined to clear up the matter. Like IP addresses, it’s unclear whether text messages are considered “tangible things” under FISA, which would let the FBI request a secret court order for those deemed relevant to international terrorism or spying investigations.
CLOUD DATA: documents, photos, and other stuff stored online
How they get it. Authorities typically need only a subpoena to get data from Google Drive, Dropbox, SkyDrive, and other services that allow users to store data on their servers, or “in the cloud,” as it’s known.
What the law says. The law treats cloud data the same as draft emails — authorities don’t need a warrant to get it. But files that you’ve shared with others — say, a collaboration using Google Docs — might require a warrant under the ECPA if it’s considered “communication” rather than stored data. “That’s a very hard rule to apply,” says Greg Nojeim, a senior counsel with the Center for Democracy & Technology. “It actually makes no sense for the way we communicate today.” Like IP addresses, it’s unclear whether files stored in the cloud are considered “tangible things” under FISA, although the law specifically states that “documents” are included. If cloud data is covered by FISA, it would let the FBI request a secret court order for data deemed relevant to international terrorism or spying investigations.
SOCIAL MEDIA: the new privacy frontier
How they get it. When it comes to sites like Facebook, Twitter and LinkedIn, the social networks’ privacy policies dictate how cooperative they are in handing over users’ data. Facebook says it requires a warrant from a judge to disclose a user’s “messages, photos, videos, wall posts, and location information.” But it will supply basic information, such as a user’s email address or the IP addresses of the computers from which someone recently accessed an account, under a subpoena. Twitter has reported that it received 1,494 requests for user information from U.S. authorities in 2012. The company says it received 60 percent of requests in the second half of 2012 through subpoenas, 11 percent through other court others, 19 percent through search warrants and 10 percent through other means. Twitter says that “non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process.”
What the law says. Courts haven’t issued a definitive ruling on social media. In September, a Manhattan Criminal Court judge upheld a prosecutor’s subpoena for information from Twitter about an Occupy Wall Street protester arrested on the Brooklyn Bridge in 2011. It was the first time a judge had allowed prosecutors to use a subpoena to get information from Twitter rather than forcing them to get a warrant; the case is ongoing. Like IP addresses, it’s unclear whether posts on social media are considered “tangible things” under FISA, which would allow the FBI to request a secret court order for those deemed relevant to international terrorism or spying investigations.
Theodoric Meyer and Peter Maass are journalists with ProPublica, an independent, non-profit newsroom that produces investigative journalism in the public interest. This article has been republished under a Creative Commons licence.