• Tag Archives 4th Amendment
  • EFF to the SEC: Get a Warrant

    If the federal government wants to compel an online service provider, like Yahoo or Google, to turn over your email, they need a warrant. That’s the industry-accepted best practice, implemented by nearly every major service provider. More importantly, it’s what the Fourth Amendment requires.

    The Securities and Exchange Commission (SEC), the federal agency charged with enforcing federal securities laws, seems to think it falls outside the warrant requirement. In a civil case currently pending in Maryland, the agency asked a federal judge to compel Yahoo to comply with an administrative subpoena—read, not a warrant—it sent to the company, which would require the company to turn over the emails of one of its users. An administrative subpoena lacks the privacy safeguards of a warrant, including a higher standard justifying government access (i.e., probable cause) and prior review by a judge.

    Yahoo fought back, refusing to comply with the subpoena and opposing the SEC’s motion. Last week, EFF, joined by our friends at CDT, filed an amicus brief in support of Yahoo. Our brief made a simple point: if the federal government wants to compel a third-party provider to turn over a user’s email, it needs a warrant. That rule applies to the SEC, just as any other federal or state government agency.

    The SEC’s position isn’t a new one. They have long claimed a right to access email content from providers without a warrant. In fact, the SEC has been one of the primary obstacles to passing an update to the Electronic Communications Privacy Act (ECPA), the federal law that governs government access to emails and other content stored in the cloud. But this is the first time (as far as we know) that the SEC has tested its theory in court.

    Fortunately, even though the SEC has so far been successful in blocking attempts to amend ECPA, the agency still has to contend with the Constitution. As we explained in our brief, because users have a reasonable expectation of privacy in their email stored with online service providers (a point SEC wisely conceded), the Fourth Amendment requires the agency to obtain a warrant—or to rely on an exception to the warrant requirement—in order to intrude upon that privacy.

    The SEC argues that, as a civil law enforcement agency, it lacks the power to obtain a warrant by itself. But as we pointed out, whenever there is a criminal component to an investigation—as is the case here—the SEC can coordinate with the Justice Department to obtain a warrant. Apparently, the SEC is concerned that, in purely civil cases, when it can’t work with the Justice Department to obtain a warrant, companies or individuals may be able to shield their emails from disclosure. But civil litigation offers a variety of levers for the SEC to pull in order to obtain the same or similar information, without compelling its disclosure from a third-party service provider.

    Ultimately, our constitutional privacy rights shouldn’t be diminished just because the SEC wants to conduct its investigations more efficiently. The hearing in the case is scheduled for Friday, June 30. We hope the court will send a clear message to government agencies: if you want to compel a third-party provider to turn over email content, get a warrant.

    Source: EFF to the SEC: Get a Warrant | Electronic Frontier Foundation

  • The Fight Against General Warrants to Hack Rages On

    The federal government thinks it should be able to use one warrant to hack into an untold number of computers located anywhere in the world. But EFF and others continue to make the case that the Fourth Amendment prohibits this type of blanket warrant. And courts are starting to listen.

    Last week, EFF pressed its case against these broad and unconstitutional warrants in arguments before a federal court of appeals in Boston, Massachusetts. As we spelled out in a brief filed earlier this year, these warrants fail to satisfy the Fourth Amendment’s basic safeguards.

    The case, U.S. v. Levin, is one of hundreds of prosecutions resulting from the FBI’s 2015 seizure and operation of a child pornography site “Playpen.” While running the site, the FBI used malware—or a “Network Investigative Technique” (NIT), as they euphemistically call it—to infect computers used to visit the site and then identify those visitors. Based on a single warrant, the FBI ended up hacking into nearly 9,000 computers, located in at least 26 different states, and over 100 countries around the world.

    But that’s unconstitutional. One warrant cannot allow law enforcement to hack into thousands of computers wherever they are in the world. As law enforcement defended these blanket hacking warrants and pushed for federal rule changes to allow them—and as Congress stood by and idly let this rule change go into effect—we’ve been fighting in court to make sure that the Fourth Amendment’s protections don’t disappear as law enforcement begins to rely on hacking more and more.

    And there are signs that courts are beginning to recognize the threats to privacy these warrants pose. Earlier this year, a federal magistrate judge in Minnesota found [PDF] that the warrant the FBI relied on in the Playpen case—the same warrant we were arguing against in Levin—violated the Fourth Amendment.

    In the February report, Magistrate Judge Franklin Noel described how the government’s NIT fails the Fourth Amendment’s requirement that warrants describe a particular place to be searched, agreeing with arguments we’ve made to courts in other Playpen prosecutions. The warrant in this case fails to satisfy that requirement because, at the time the warrant was issued, “it is not possible to identify, with an specificity, which computers, out of all of the computers on earth, might be searched pursuant to this warrant,” Noel wrote.

    He also explained how the warrant essentially flips the Fourth Amendment’s particularity requirement on its head, searching and then identifying specific computers instead of identifying specific computers and then searching them. “Only with [information gathered through the use of malware] could the Government begin to describe with any particularity the computers to be searched; however, at that point, the computer had already been searched.”

    It’s encouraging that courts are beginning to agree with arguments from us and others that these warrants far exceed the Fourth Amendment’s limits on government searches.

    As the Playpen prosecutions begin to work their way up to the courts of appeals, the stakes become higher. The decisions these courts reach will likely shape the contours of our constitutional protections for years to come. We’ve filed briefs in every appeal so far, and we’ll continue to make the case that unfamiliar technology and unsavory crimes can’t justify dispensing with the Fourth Amendment’s requirements altogether.

    Source: The Fight Against General Warrants to Hack Rages On | Electronic Frontier Foundation

  • The Bill of Rights at the Border: Fourth Amendment Limits on Searching Your Data and Devices

    More than 325,000 people enter the United States via airports every day, with hundreds of thousands more crossing by land at the borders. Not only is that a lot of people, it’s also a lot of computers, smartphones, and tablets riding along in our pockets, bags, and trunks.  Unfortunately, the Fourth Amendment protections we enjoy inside the U.S. for our devices aren’t always as strong when we’re crossing borders—and the Department of Homeland Security takes advantage of it. On the other hand, the border is not a Constitution-free zone. What are the limits to how and how much customs and immigrations officials can access our data?

    To help answer those questions, we’re offering the second in our series of posts on the Constitution at the border, focusing this time on the Fourth Amendment. For Part 1 on the First Amendment, click here.

    The Default Privacy Rule

    The Fourth Amendment forbids “unreasonable” searches and seizures by the government. In most circumstances, the Fourth Amendment requires that government agents obtain a warrant from a judge by presenting preliminary evidence establishing “probable cause” to believe that the thing to be searched or seized likely contains evidence of illegal activity before the officer is authorized to search.

    The Border Search Exception

    Unfortunately, the Supreme Court has sanctioned a “border search exception” to the probable cause warrant requirement on the theory that the government has an interest in protecting the “integrity of the border” by enforcing the immigration and customs laws. As a result, “routine” searches at the border do not require a warrant or any individualized suspicion that the thing to be searched contains evidence of illegal activity.

    The Exception to the Exception: “Non-Routine” Searches

    But the border search exception is not without limits. As noted, this exception only applies to “routine” searches, such as those of luggage or bags presented at the border.  “Non-routine” searches – such as searches that are “highly intrusive” and impact the “dignity and privacy interests” of individuals, or are carried out in a “particularly offensive manner” – must meet a higher standard: individualized “reasonable suspicion.” In a nutshell, that means border agents must have specific and articulable facts suggesting that a particular person may be involved in criminal activity.

    For example, the Supreme Court held that disassembling a gas tank is “routine” and so a warrantless and suspicionless search is permitted. However, border agents cannot detain a traveler until they have defecated to see if they are smuggling drugs in their digestive tract unless the agents have a “reasonable suspicion” that the traveler is a drug mule.

    Border Searches of Digital Devices

    How does this general framework apply to digital devices and data at the border? Border agents argue that the border search exception applies to digital searches.  We think they are wrong.  Given that digital devices like smartphones and laptops contain highly personal information and provide access to even more private information stored in the cloud, the border search exception should not apply.

    As Chief Justice Roberts recognized in a 2014 case, Riley v. California:

    Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans the privacies of life.

    Snooping into such privacies is extraordinarily intrusive, not “routine.” Thus, when the government asserted the so-called “incident to arrest” exception to justify searching a cell phone without a warrant during or immediately after an arrest, the Supreme Court called foul.

    Why is the Riley decision important at the border? For one thing, the “incident to arrest” exception that the government tried to invoke is directly comparable to the border search exception, because both are considered “categorical” exemptions. Given that the intrusion is identical in both instances, the same privacy protections should apply.

    Moreover, with the ubiquity of cloud computing, a digital device serves as a portal to highly sensitive data, where the privacy interests are even more significant. Following Riley, we believe that any border search of a digital device or data in the cloud is unlawful unless border agents first obtain a warrant by showing, to a judge, in advance, that they have probable cause to believe the device (or cloud account) likely contains evidence of illegal activity.

    However, lower courts haven’t quite caught up with Riley.  For example, the Ninth Circuit held that border agents only need reasonable suspicion of illegal activity before they could conduct a non-routine forensic search of a traveler’s laptop, aided by sophisticated software. Even worse, the Ninth Circuit also held that a manual search of a digital device is “routine” and so a warrantless and suspicionless search is still “reasonable” under the Fourth Amendment. Some courts have been even less protective. Last year a court in the Eastern District of Michigan upheld a computer-aided border search of a traveler’s electronic devices that lasted several hours without reasonable suspicion.

    EFF is working hard to persuade courts (and border agents) to adopt the limits set forth in the Riley decision for border searches of cellphones and other digital devices. In the meantime, what should you do to protect your digital privacy?

    Much turns on your individual circumstances and personal risk assessment. The consequences for non-compliance with a command from a CBP agent to unlock a device will be different, for example, for a U.S. citizen versus a non-citizen. If you are a U.S. citizen, agents must let you enter the country eventually; they cannot detain you indefinitely. If you are a lawful permanent resident, agents might raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents may deny you entry entirely.

    We recommend that everyone conduct their own threat model to determine what course of action to take at the border. Our in depth Border Search Whitepaper offers you a spectrum of tools and practices that you may choose to use to protect your personal data from government intrusion. For a more general outline of potential practices, see our pocket guides to Knowing Your Rights and Protecting Your Data at the Border.

    And join EFF in calling for stronger Constitutional protection for your digital information by contacting Congress on this issue today.

    Source: The Bill of Rights at the Border: Fourth Amendment Limits on Searching Your Data and Devices | Electronic Frontier Foundation