From EFF.org
Electronic Eavesdropping is Legally Hard for the Government, But Technically Easy
As you learned in the last section, wiretapping is legally difficult for the government: it must obtain a hard-to-get intercept order or "super-warrant" from a court, subject to strict oversight and variety of strong privacy protections. However, wiretapping is typically very technically easy for the government. For example, practically anyone within range of your laptop's wireless signal, including the government, can intercept your wireless Internet communications. Similarly, practically anyone within range of your cell phone's radio signal, including the government, can — with a few hundred bucks to buy the right equipment — eavesdrop on your cell phone conversations.
As far as communications that travel over telecommunications' companies cables and wires rather than (or in addition to) traveling over the air, the government has very sophisticated wiretapping capabilities. For example, using a nationwide surveillance system called "DCSNet" ("DCS" stands for "Digital Collection System") that is tied into key telecommunications switches across the country, FBI agents can from the comfort of their field offices "go up" on a particular phone line and start intercepting or pen-trap tapping wireline phone calls, cellular phone calls, SMS text messages and push-to-talk communications, or start tracking a cell phone's location, at a moment's notice. The government is believed to have similar capabilities when it comes to Internet communications. The extensive and powerful capabilities of the DCSNet, first uncovered in government documents that EFF obtained in a Freedom of Information Act lawsuit (details at http://www.eff.org/issues/foia/061708CKK), are well-summarized in the Wired.com article "Point, Click...Eavesdrop: How the FBI Wiretap Net Operates".
Using "bugs" to eavesdrop on your oral conversations has also gotten much easier for the government with changes in technology. Most notably, the government now has the technical capability, with the cooperation of your cell phone provider, to convert the microphone on some cell phones or the cell phone in your car's emergency services system into a bug. The government likely also has the ability, with your phone company's help, to open the line on your landline phone and use its microphone as a bug, although we've yet to see any specific cases where such landline phone-based bugging has been used. Finally, the government may even have the capability, using remotely-installed government malware, to turn on the microphone or camera on your computer.
Choosing a Communication Method
Old Ways are Often the Best Ways
Considering the government's broad capability to wiretap communications, there isn't much difference in the technical risk that wiretapping poses to your phone calls versus your emails versus your SMS text messages. However, as described in the last section, there are differences in the legal protections for these modes of communication, and as will be described later in this section, there may be technical steps that you can take — such as encrypting your communications — that may be easier or harder depending on which communications method you choose.
So, when thinking about securing your communications against eavesdropping and wiretapping, your first choice — whether to meet in person, call on the telephone, write an email, or tap out an SMS text or IM message — is also your most important choice. As you'll see below, the least technically sophisticated modes of communication like face-to-face conversations and landline telephone conversations are often the most secure against unwanted eavesdropping, unless you and those you communicate with have mastered how to encrypt your Internet communications.
Face-to-Face Conversations Are the Safest Bet
As shown in the last section, government eavesdropping of your "oral communications" or face-to-face conversations using "bugs" or hidden microphones is very rare: only 20 court orders authorizing oral intercepts were reported in the 2007 wiretap report, compared to 1,998 orders authorizing wiretapping of "wire communications" or voice communications. In other words, you are 100 times more likely to have your phone conversations tapped than to have your face-to-face conversations "bugged".
Not only are your oral conversations at less risk than your phone conversations, but they also receive the same strong legal protections as your phone conversations. Like your phone calls and unlike your non-voice Internet communications, oral communications that are intercepted in violation of the Wiretap Act are subject to that statute's exclusionary rule, and cannot be used against you as evidence in a criminal trial.
Therefore, face-to-face conversations in private are the most secure method of communicating. Deciding whether to talk face-to-face rather than send an email or make a telephone call becomes a traditional security trade-off: is the inconvenience of having to meet face-to-face worth the security gain? Depending on whom you want to talk to and where they are, that inconvenience could be trivial or it could mean a cross-country trip. If the person you want to communicate with is in the same office or just next door, you may want to choose a private conversation even for communications that aren't particularly sensitive. When it comes to your very most sensitive data, though, that cross-country flight might be worth the trade-off.
Just because the risk of oral interception is very low doesn't mean you shouldn't take technical precautions to reduce that risk, particularly when it comes to very sensitive conversations. Therefore, depending on how convenient it is and how sensitive the conversation is — again, it's a trade-off — you may want to have your conversation in a room that does not contain a landline telephone or a computer with a built-in or attached microphone or camera, and either not carry your cell phone or remove its battery (the microphone on some phones can be activated even when the phone is powered down, unless you remove the battery). Even if your conversation isn't especially sensitive, it doesn't hurt to detach external microphones and cameras from your laptop or cover the lens of attached cameras with a small piece of tape when they aren't in use. It's easy to do, and ensures that remote activation of those mics and cameras is one less thing to worry about.
Using the Telephone is Still the Second Safest Bet
If having an oral conversation is simply too great an inconvenience, the second most secure option — unless you've mastered how to encrypt your internet communications — is to use the phone. Even though your phone is statistically more likely to be wiretapped than your Internet communications, the phone is still less risky than unencrypted Internet communications.
This is true for several reasons. First and most important, your phone calls don't generate copies of your communications — once your call is over, the communication disappears forever. Internet communications, on the other hand and as discussed more below, generate copies that make it easier and more likely that someone can find out what you said. The risk of subpoenas to get these copies is much higher than the risk of a phone wiretap. Also, many more potential adversaries have or can gain access to your Internet traffic than to your phone lines.
Also, remember that "wire communications" — that is, voice communications — get more legal protection. If your voice communications are wiretapped in violation of the Wiretap Act, they won't be allowed as evidence; illegally wiretapped Internet communications may still end up in court. That means that investigators have less reason to avoid stretching the law when it comes to your electronic communications.
Speaking generally, just as phone conversations are a safer bet than unencrypted Internet communications, telephone conversations between landline telephones are a safer bet than telephone conversations that involve a cellular telephone.
Most obviously, conversations that involve cellular telephones are technically much easier to tap than your landline phone conversations — anyone who is in range of a cell phone's radio signal can listen in using a few hundred dollars worth of specialized cell phone interception equipment (for more discussion of the security threats posed to mobile devices like cell phones, see the article on mobile devices). If you are concerned that government agents may ignore the law and choose to intercept your phone conversations without a wiretap order, intercepting your cell phone's radio signals would be an effective way for them to secretly do so, particularly considering that they do not need to get the assistance of the cell phone provider and that their radio-based interception wouldn't leave any physical trace.
Cell phone conversations may also be more vulnerable legally — some courts have held that communications using cordless telephones are not protected by the Fourth Amendment, finding that there is no reasonable expectation of privacy in the radio signal sent between the cordless handset and the base station. The government may similarly consider the radio signal sent between your cell phone and the cell phone company's cell tower to be unprotected by the Fourth Amendment.
Privacy tip: Avoiding phone tap paranoiaContrary to popular belief, modern phone wiretaps used by the government don't make any noise — no clicks, no hisses, no static, nothing. Don't worry that the government is monitoring you if you happen to hear some unexplained noise on the phone line. You wouldn't believe how often we're told, "I think I'm being wiretapped — I keep hearing clicks!"
Your "wire communications" or voice communications are subject to stronger legal protections than your other communications, regardless of what communications medium you use. So, for example, whether government agents intercept your landline telephone call, your cellular telephone call, or a telephone call made over the Internet, the Wiretap Act's exclusionary rule will prevent them from using that information as evidence against you in a criminal trial if they didn't get a wiretap order first. In contrast, the statute wouldn't prevent the government from using illegally intercepted "electronic communications" like text messages or emails as evidence.
Therefore, you may want to consider using Voice-over-IP (VoIP) services, which allow you to send live voice communications — basically, phone calls — over the Internet. VoIP may be more private than regular calls for one big reason: it's easier to encrypt your conversation, as encrypting regular phone calls is very difficult and expensive. Unfortunately, there isn't any obviously effective and trustworthy option for encrypted VoIP that we can recommend at the moment. See our article on VoIP for futher details.
Always remember that anyone with access to a wire or a computer carrying your communications, or within range of your wireless signal, can intercept your Internet communications with cheap and readily available equipment and software. Lawyers call this wiretapping, while Internet techies call it "packet sniffing" or "traffic sniffing". The only way to protect your Internet communications against wiretapping by the government or anyone else is by using encryption. Of course, it is true that most encryption systems can be broken with enough effort. However, breaking modern encryption systems usually requires that an adversary find a mistake in the way that the encryption was engineered or used. This often requires large amounts of effort and expense, and means that encryption is usually a critically significant defensive measure even when it isn't totally impregnable.
Encryption, unfortunately, isn't always easy to use, so as in other cases, your decision of whether to use it will pose a trade-off: is the inconvenience of using the encryption worth the security benefit?
The occasional inconvenience posed by some encryption systems is counter-balanced by the fact that encryption will protect you against much more than overzealous law enforcement agents. Your Internet communications are vulnerable to a wide range of governmental and private adversaries in addition to law enforcement, whether it's the National Security Agency or a hacker trying to intercept your credit card number, and encryption will help you defend against those adversaries as well.
Also, as described in later sections, encrypting your communications not only protects against wiretapping but can also protect your communications while they are stored with your communications provider. So, for example, even if the government is able to seize your emails from your provider, it won't be able to read them.
Considering all the benefits of encryption, we think that it's usually worth the trade-off, although as always, your mileage may vary depending on your tolerance for inconvience and on how serious you judge the threat of wiretapping to be. In some cases, using encryption may not be inconvenient at all. For example, the OTR encryption system for IM is extremely easy to set up and use; there's little reason not to give it a try. Check out the following articles to learn more about how you can use encryption to protect your internet communications against wiretapping, as well as against traffic analysis using pen-trap taps.
Wi-Fi. Using encryption is especially critical when transmitting your Internet communications over the air using Wi-Fi, since pretty much anyone else in the area that has a wireless-enabled laptop can easily intercept your radio signals. This article will explain how to encrypt the radio signals sent between your laptop and a wireless access point.
Virtual Private Networks (VPNs). Virtual Private Networks or "VPNs" are a potent encryption tool allowing you to "tunnel" communications securely over the Internet.
Web browsers. Some of your web communications can be encrypted to protect against traffic sniffing. Take a look at this article to learn more about HTTPS, the most common web encryption standard, as well as other browser security and privacy tips.
Email and IM. There are a number of poweful tools available for encrypting your emails and your IM messages; take a look at these articles to learn more.
Tor. Tor is free, powerful, encryption-based anonymizing software that offers one of the few methods of defending yourself against traffic analysis using pen-trap taps, and also provides some protection against wiretapping. Visit this article for all the details.
As described earlier, the government can use information transmitted by your cellular telephone to track its location in real-time, whether based on what cell phone towers your cell phone is communicating with, or by using the GPS chip included in most cell phones.
Many courts have required the government to obtain a warrant before conducting this type of surveillance, often thanks to briefing by EFF. (For more information on our work in this area, visit EFF's cell tracking page.) However, many other courts have been happy to routinely authorize cell phone tracking without probable cause.
Even more worrisome, the government has the capability to track cell phones without the cell phone provider's assistance using a mobile tracking technology code-named "triggerfish". This technology raises the possibility that the government might bypass the courts altogether. Even if the government does seek a court order before using "triggerfish," though, it will only need to get an easy-to-get pen-trap order rather than a wiretap order based on probable cause.
Put simply, cell phone location tracking is an incredibly powerful surveillance technology that is currently subject to weak technical and legal protections.
Unfortunately, if you want to use your cell phone at all, avoiding the threat of this kind of real-time tracking is nearly impossible. That's because the government can track your cell phone whenever it's on, even if you aren't making a call. The government can even track some cell phones when they are powered down, unless you have also removed the battery. So, once again, there is a security trade-off: the only way to eliminate the risk of location tracking is to leave the cell phone at home, or remove the battery.
For more information about the privacy risks posed by cell phones, take a look at our article on mobile devices. You may also want to take a look at the advice offered by MobileActive.org in its Primer on Mobile Surveillance.
Due to a combination of legal and technical factors, face-to-face conversations and conversations using landline telephones are more secure against government wiretapping than cell phone or Internet communications. Cell phone conversations are more vulnerable both technically and legally, while SMS text messaging appears for now to be very insecure both technically and legally. Cell phones also create the risk of location tracking, and the only way to eliminate that risk entirely is to not carry a cell phone or to remove the battery.
When it comes to Internet communications, using encryption is the only way to defend against wiretapping, whether by the government or anyone else.
When it comes to pen/trap taps, on the other hand, most encryption products won't protect the types of information that the government can get. That information needs to be transmitted in the clear so computers can direct it to the proper recipient. Only anonymizing tools like Tor will protect you from traffic analysis via pen/trap tap.
Third parties — like your phone company, your Internet service provider, the web sites you visit and interact with or the search engine that you use — regularly collect a great deal of sensitive information about how you use the phone system and the Internet, such as information about who you're calling, who's emailing or IMing you, what web pages you're reading, what you're searching for online, and more. In addition to those records being compiled about you, there's also data that you choose to store with third parties, like the voicemails you store with you cell phone company or the emails you store with your email provider. In this section, we'll talk about the legal rules that govern when and how law enforcement agents can obtain this kind of information stored by and with third parties. We'll then outline steps that you can take to reduce that risk, by learning how to reduce the amount of information collected about you by third parties, minimize the amount of data you choose to store with third parties, or replace plainly readable data with encrypted versions for storage with third parties.
With a subpoena, the government can obtain from your communications providers what is often called "basic subscriber information." Sometimes, the subpoena will specifically name a person whose information is being sought; other times the government will ask for information regarding a particular phone number, Internet username, email address, or IP address. With such a subpoena, the government can (only) get your:
The government can get this information with no notice to you at all, and can also get a court order forcing your service provider not to tell you or anyone else.
In order to get a communications provider to turn over other records beyond basic subscriber information, the government either has to get a search warrant or a special court order. Sometimes called "D" orders, since they are authorized in subsection (d) of section 2703 of the Stored Communications Act, these court orders are much easier to get than search warrants but harder to get than subpoenas. The government can get this information with no notice to you at all, and can also get a court order forcing your service provider not to tell you or anyone else.
In addition to basic subscriber information, your ISP or email provider may maintain records or "logs" of:
Which, if any, of the above are logged varies, depending on your particular ISP or email provider's privacy policies and resources. However, just about every ISP will log IP addresses and log-on/off times, and keep those logs for at least a few months.
Cellular phone companies may also keep records of which cell tower your phone communicated with when you were making calls. These cell site tower records can help pinpoint your physical location at points in the past, and are increasingly the target of law enforcement investigations. And although some courts have required the government to obtain a warrant based on probable cause before obtaining these records, the government's usual practice is to get such records based on the much lower "D" Order standard.
In addition to the logs kept by your communications providers, there are also logs kept by the Web sites that you visit. For example, the Apache web server is currently the most widely used web server on the Internet. In its default configuration, it logs the following information about each request it receives from a web browser:
However, the server could potentially be configured to log anything you or your browser tells it, in addition to the above.
The Stored Communications Act clearly protects records held by companies that offer the public the ability to send and receive communications — phone companies, ISPs, webmail providers, IM providers, bulletin board sites, etc. However, it does not necessarily protect logs held by web sites that don't offer communications service, which is most of them.
This is particularly worrisome when it comes to search engines. The government's position is that logs kept by search engines are not protected by the Stored Communications Act at all. Considering that these logs can often be linked back to you — either by your IP address or "cookies," or, if you've registered with other services offered by the search engine, by the information you entered when registering — this potential gap in legal protection represents a serious privacy threat.
Compared to the relatively weak protection for non-content records, the law gives some extra protection to communications content that you have stored with (or that is otherwise stored by) communications service providers like your phone company, your ISP, or an email provider like Gmail or Hotmail. Your communications providers cannot disclose your stored communications to the government unless the government satisfies the requirements described below; nor can they disclose your stored communications to anyone other than the government without your permission. There is one notable exception, though, for serious emergencies: if the provider believes in good faith that not immediately disclosing the communications could lead to someone’s death or serious injury, they can give them to the government.
Note, however, that these restrictions on the disclosure of your communications only apply to communications providers that offer their services to the public. Even more worrisome, the government doesn’t consider businesses or schools and universities that offer their employees and students service to be offering services to the public, and therefore considers them unprotected by the Stored Communications Act. That means they could get communications from those entities with only a subpoena, and maybe even just a polite request if your employee agreement or your school's privacy policy allows it.
The Stored Communications Act strongly protects communications that have been in 'electronic storage' for 180 days or less, but the government has a very narrow reading of what 'electronic storage' means in the statute. The government doesn't consider already-read or opened incoming communications to be in electronic storage (for example, emails in your inbox that you've already looked at, or voicemails in your voicemail account that you've saved after listening). Nor does the government consider messages in your sent box or messages in your drafts box to be in 'electronic storage.' Under the government's view, here's how your communications are treated under the law:
New unopened communications: If the email or voice-mail messages are unopened or unlistened to, and have been in storage for 180 days or less, the police must get a search warrant. However, you are not notified of the search.
Opened or old communications: If you have opened the stored email or voice-mail messages, or they are unopened and have been stored for more than 180 days, the government can use a special court order — the same “D” orders discussed — or a subpoena to demand your communications. Either way, the government has to give you notice (although, like with sneak & peek search warrants, that notice can sometimes be delayed for a substantial time, and as far as we can tell almost always is delayed). However, the police may still choose to use a search warrant instead of a D order or subpoena, so they don’t have to give you notice at all.
Notably, the Ninth Circuit Court of Appeals has disagreed with the government's reading of the law, finding that communications are in electronic storage even after they are opened — meaning that the government needs a warrant to obtain opened messages in storage for 180 days or less.
In sum, although the law sometimes requires the government to get a warrant before accessing communications you’ve stored with your communication provider, it doesn’t always. For this reason, storing your communications on your own computer is preferable — the government will almost always need a warrant if it wants to seize and search the files on your computer.
In the last section, you learned that wiretapping and pen-trap tapping are powerful and routine government surveillance techniques, and got an idea of how often those techniques are legally used. In this section, you'll learn how to defend yourself against such real-time communications surveillance. As we'll describe in detail below, unless you take specific technical measures to protect your communications against wiretapping or traffic analysis — such as using encryption to scramble your messages — your best defense is to use the communications methods that possess the strongest and clearest legal protections: postal mail and landline telephones.
What About Phone Calls Using the Internet?
Your "wire communications" or voice communications are subject to stronger legal protections than your other communications, regardless of what communications medium you use. So, for example, whether government agents intercept your landline telephone call, your cellular telephone call, or a telephone call made over the Internet, the Wiretap Act's exclusionary rule will prevent them from using that information as evidence against you in a criminal trial if they didn't get a wiretap order first. In contrast, the statute wouldn't prevent the government from using illegally intercepted "electronic communications" like text messages or emails as evidence.
Therefore, you may want to consider using Voice-over-IP (VoIP) services, which allow you to send live voice communications — basically, phone calls — over the Internet. VoIP may be more private than regular calls for one big reason: it's easier to encrypt your conversation, as encrypting regular phone calls is very difficult and expensive. Unfortunately, there isn't any obviously effective and trustworthy option for encrypted VoIP that we can recommend at the moment. See our article on VoIP for futher details.
Learn to Encrypt Your Internet Communications
Always remember that anyone with access to a wire or a computer carrying your communications, or within range of your wireless signal, can intercept your Internet communications with cheap and readily available equipment and software. Lawyers call this wiretapping, while Internet techies call it "packet sniffing" or "traffic sniffing". The only way to protect your Internet communications against wiretapping by the government or anyone else is by using encryption. Of course, it is true that most encryption systems can be broken with enough effort. However, breaking modern encryption systems usually requires that an adversary find a mistake in the way that the encryption was engineered or used. This often requires large amounts of effort and expense, and means that encryption is usually a critically significant defensive measure even when it isn't totally impregnable.
Encryption, unfortunately, isn't always easy to use, so as in other cases, your decision of whether to use it will pose a trade-off: is the inconvenience of using the encryption worth the security benefit?
The occasional inconvenience posed by some encryption systems is counter-balanced by the fact that encryption will protect you against much more than overzealous law enforcement agents. Your Internet communications are vulnerable to a wide range of governmental and private adversaries in addition to law enforcement, whether it's the National Security Agency or a hacker trying to intercept your credit card number, and encryption will help you defend against those adversaries as well.
Also, as described in later sections, encrypting your communications not only protects against wiretapping but can also protect your communications while they are stored with your communications provider. So, for example, even if the government is able to seize your emails from your provider, it won't be able to read them.
Considering all the benefits of encryption, we think that it's usually worth the trade-off, although as always, your mileage may vary depending on your tolerance for inconvience and on how serious you judge the threat of wiretapping to be. In some cases, using encryption may not be inconvenient at all. For example, the OTR encryption system for IM is extremely easy to set up and use; there's little reason not to give it a try. Check out the following articles to learn more about how you can use encryption to protect your internet communications against wiretapping, as well as against traffic analysis using pen-trap taps.
Wi-Fi. Using encryption is especially critical when transmitting your Internet communications over the air using Wi-Fi, since pretty much anyone else in the area that has a wireless-enabled laptop can easily intercept your radio signals. This article will explain how to encrypt the radio signals sent between your laptop and a wireless access point.
Virtual Private Networks (VPNs). Virtual Private Networks or "VPNs" are a potent encryption tool allowing you to "tunnel" communications securely over the Internet.
Web browsers. Some of your web communications can be encrypted to protect against traffic sniffing. Take a look at this article to learn more about HTTPS, the most common web encryption standard, as well as other browser security and privacy tips.
Email and IM. There are a number of poweful tools available for encrypting your emails and your IM messages; take a look at these articles to learn more.
Tor. Tor is free, powerful, encryption-based anonymizing software that offers one of the few methods of defending yourself against traffic analysis using pen-trap taps, and also provides some protection against wiretapping. Visit this article for all the details.
Defend Yourself Against Cell Phone Tracking
As described earlier, the government can use information transmitted by your cellular telephone to track its location in real-time, whether based on what cell phone towers your cell phone is communicating with, or by using the GPS chip included in most cell phones.
Many courts have required the government to obtain a warrant before conducting this type of surveillance, often thanks to briefing by EFF. (For more information on our work in this area, visit EFF's cell tracking page.) However, many other courts have been happy to routinely authorize cell phone tracking without probable cause.
Even more worrisome, the government has the capability to track cell phones without the cell phone provider's assistance using a mobile tracking technology code-named "triggerfish". This technology raises the possibility that the government might bypass the courts altogether. Even if the government does seek a court order before using "triggerfish," though, it will only need to get an easy-to-get pen-trap order rather than a wiretap order based on probable cause.
Put simply, cell phone location tracking is an incredibly powerful surveillance technology that is currently subject to weak technical and legal protections.
Unfortunately, if you want to use your cell phone at all, avoiding the threat of this kind of real-time tracking is nearly impossible. That's because the government can track your cell phone whenever it's on, even if you aren't making a call. The government can even track some cell phones when they are powered down, unless you have also removed the battery. So, once again, there is a security trade-off: the only way to eliminate the risk of location tracking is to leave the cell phone at home, or remove the battery.
For more information about the privacy risks posed by cell phones, take a look at our article on mobile devices. You may also want to take a look at the advice offered by MobileActive.org in its Primer on Mobile Surveillance.
Summing Up
What You Need to Know
Due to a combination of legal and technical factors, face-to-face conversations and conversations using landline telephones are more secure against government wiretapping than cell phone or Internet communications. Cell phone conversations are more vulnerable both technically and legally, while SMS text messaging appears for now to be very insecure both technically and legally. Cell phones also create the risk of location tracking, and the only way to eliminate that risk entirely is to not carry a cell phone or to remove the battery.
When it comes to Internet communications, using encryption is the only way to defend against wiretapping, whether by the government or anyone else.
When it comes to pen/trap taps, on the other hand, most encryption products won't protect the types of information that the government can get. That information needs to be transmitted in the clear so computers can direct it to the proper recipient. Only anonymizing tools like Tor will protect you from traffic analysis via pen/trap tap.
Information Stored By Third Parties
Third parties — like your phone company, your Internet service provider, the web sites you visit and interact with or the search engine that you use — regularly collect a great deal of sensitive information about how you use the phone system and the Internet, such as information about who you're calling, who's emailing or IMing you, what web pages you're reading, what you're searching for online, and more. In addition to those records being compiled about you, there's also data that you choose to store with third parties, like the voicemails you store with you cell phone company or the emails you store with your email provider. In this section, we'll talk about the legal rules that govern when and how law enforcement agents can obtain this kind of information stored by and with third parties. We'll then outline steps that you can take to reduce that risk, by learning how to reduce the amount of information collected about you by third parties, minimize the amount of data you choose to store with third parties, or replace plainly readable data with encrypted versions for storage with third parties.
Some Records Only Require a Subpoena
Basic Subscriber Information Held by Your Communications Providers Is Available With Just a Subpoena
With a subpoena, the government can obtain from your communications providers what is often called "basic subscriber information." Sometimes, the subpoena will specifically name a person whose information is being sought; other times the government will ask for information regarding a particular phone number, Internet username, email address, or IP address. With such a subpoena, the government can (only) get your:
- Name.
- Address.
- The length of time you've used that phone or Internet company, along with service start date and the types of services you use.
- Phone records. They can get your telephone number, as well as local and long distance telephone connection records — those are records identifying all the phone numbers you've called or have called you, and the time and length of each call.
- Internet records. They can get the times you signed on and off of the service, the length of each session, and the IP address that the ISP assigned to you for each session.
- Information on how you pay your bill, including any credit card or bank account number the ISP or phone company has on file.
The government can get this information with no notice to you at all, and can also get a court order forcing your service provider not to tell you or anyone else.
Other Records Require a Court Order
Other Communications Records Held by Your Communications Providers Require a Court Order
In order to get a communications provider to turn over other records beyond basic subscriber information, the government either has to get a search warrant or a special court order. Sometimes called "D" orders, since they are authorized in subsection (d) of section 2703 of the Stored Communications Act, these court orders are much easier to get than search warrants but harder to get than subpoenas. The government can get this information with no notice to you at all, and can also get a court order forcing your service provider not to tell you or anyone else.
In addition to basic subscriber information, your ISP or email provider may maintain records or "logs" of:
- The email addresses of people you send emails to and receive emails from, the time each email is sent and received, and the size of each email
- The IP addresses of other computers on the Internet that you communicate with, when you communicated with them, and how much data was exchanged
- The web addresses of the web pages that you visit
Which, if any, of the above are logged varies, depending on your particular ISP or email provider's privacy policies and resources. However, just about every ISP will log IP addresses and log-on/off times, and keep those logs for at least a few months.
Cellular phone companies may also keep records of which cell tower your phone communicated with when you were making calls. These cell site tower records can help pinpoint your physical location at points in the past, and are increasingly the target of law enforcement investigations. And although some courts have required the government to obtain a warrant based on probable cause before obtaining these records, the government's usual practice is to get such records based on the much lower "D" Order standard.
Not All Records are Protected
Records Collected by Search Engines and Other Web Sites May Not Be Protected
In addition to the logs kept by your communications providers, there are also logs kept by the Web sites that you visit. For example, the Apache web server is currently the most widely used web server on the Internet. In its default configuration, it logs the following information about each request it receives from a web browser:
- requesting host name/IP address
- username of requester (rarely present)
- time of request
- first line of request (indicating requested page, plus some parameters)
- success or failure of request
- size of response in bytes
- the previous page viewed by requester (if any)
- the name and version of the web browser used
However, the server could potentially be configured to log anything you or your browser tells it, in addition to the above.
The Stored Communications Act clearly protects records held by companies that offer the public the ability to send and receive communications — phone companies, ISPs, webmail providers, IM providers, bulletin board sites, etc. However, it does not necessarily protect logs held by web sites that don't offer communications service, which is most of them.
This is particularly worrisome when it comes to search engines. The government's position is that logs kept by search engines are not protected by the Stored Communications Act at all. Considering that these logs can often be linked back to you — either by your IP address or "cookies," or, if you've registered with other services offered by the search engine, by the information you entered when registering — this potential gap in legal protection represents a serious privacy threat.
Some Content Receives Stronger Protection
Emails, Voicemails, and Other Communications Content Stored by Your Communications Providers Receive Stronger Protection
Compared to the relatively weak protection for non-content records, the law gives some extra protection to communications content that you have stored with (or that is otherwise stored by) communications service providers like your phone company, your ISP, or an email provider like Gmail or Hotmail. Your communications providers cannot disclose your stored communications to the government unless the government satisfies the requirements described below; nor can they disclose your stored communications to anyone other than the government without your permission. There is one notable exception, though, for serious emergencies: if the provider believes in good faith that not immediately disclosing the communications could lead to someone’s death or serious injury, they can give them to the government.
Note, however, that these restrictions on the disclosure of your communications only apply to communications providers that offer their services to the public. Even more worrisome, the government doesn’t consider businesses or schools and universities that offer their employees and students service to be offering services to the public, and therefore considers them unprotected by the Stored Communications Act. That means they could get communications from those entities with only a subpoena, and maybe even just a polite request if your employee agreement or your school's privacy policy allows it.
Privacy tip: Use communications providers that serve the public!Don’t let some friend with a mail server in his basement handle your email service unless he is very trustworthy — unlike a regular ISP or public web-mail service, there are no legal restrictions on who your friend shares your emails with.
The Stored Communications Act strongly protects communications that have been in 'electronic storage' for 180 days or less, but the government has a very narrow reading of what 'electronic storage' means in the statute. The government doesn't consider already-read or opened incoming communications to be in electronic storage (for example, emails in your inbox that you've already looked at, or voicemails in your voicemail account that you've saved after listening). Nor does the government consider messages in your sent box or messages in your drafts box to be in 'electronic storage.' Under the government's view, here's how your communications are treated under the law:
New unopened communications: If the email or voice-mail messages are unopened or unlistened to, and have been in storage for 180 days or less, the police must get a search warrant. However, you are not notified of the search.
Opened or old communications: If you have opened the stored email or voice-mail messages, or they are unopened and have been stored for more than 180 days, the government can use a special court order — the same “D” orders discussed — or a subpoena to demand your communications. Either way, the government has to give you notice (although, like with sneak & peek search warrants, that notice can sometimes be delayed for a substantial time, and as far as we can tell almost always is delayed). However, the police may still choose to use a search warrant instead of a D order or subpoena, so they don’t have to give you notice at all.
Notably, the Ninth Circuit Court of Appeals has disagreed with the government's reading of the law, finding that communications are in electronic storage even after they are opened — meaning that the government needs a warrant to obtain opened messages in storage for 180 days or less.
Privacy tip: Use communications providers based in CaliforniaCommunications providers in states that are in the Ninth Circuit, such as California, are bound by Ninth Circuit law and therefore are very resistant to providing the government with opened emails that are 180 days old or less without a warrant.
In sum, although the law sometimes requires the government to get a warrant before accessing communications you’ve stored with your communication provider, it doesn’t always. For this reason, storing your communications on your own computer is preferable — the government will almost always need a warrant if it wants to seize and search the files on your computer.
What Can I Do To Protect Myself?
In the last section, you learned that wiretapping and pen-trap tapping are powerful and routine government surveillance techniques, and got an idea of how often those techniques are legally used. In this section, you'll learn how to defend yourself against such real-time communications surveillance. As we'll describe in detail below, unless you take specific technical measures to protect your communications against wiretapping or traffic analysis — such as using encryption to scramble your messages — your best defense is to use the communications methods that possess the strongest and clearest legal protections: postal mail and landline telephones.
Legal disclaimer: This guide is for informational purposes only and does not constitute legal advice. EFF's aim is to provide a general description of the legal and technical issues surrounding you or your organization's computer and communications security, and different factual situations and different legal jurisdictions will result in different answers to a number of questions. Therefore, please do not act on this legal information alone; if you have any specific legal problems, issues, or questions, seek a complete review of your situation with a lawyer licensed to practice in your jurisdiction.
Links to Wikipdia: Malware, Privacy, Surveillance, Uberveillance
More articles about Uberveillance
More articles about Privacy
Posts
Geen opmerkingen:
Een reactie posten