The U.S. Department of Justice and the FBI believe they don't need a search warrant to review Americans' e-mails, Facebook chats, Twitter direct messages, and other private files, internal documents reveal.
Government documents obtained by the American Civil Liberties Union and provided to CNET show a split over electronic privacy rights within the Obama administration, with Justice Department prosecutors and investigators privately insisting they're not legally required to obtain search warrants for e-mail. The IRS, on the other hand, publicly said last month that it would abandon a controversial policy that claimed it could get warrantless access to e-mail correspondence.
The U.S. attorney for Manhattan circulated internal instructions, for instance, saying a subpoena -- a piece of paper signed by a prosecutor, not a judge -- is sufficient to obtain nearly "all records from an ISP." And the U.S. attorney in Houston recently obtained the "contents of stored communications" from an unnamed Internet service provider without securing a warrant signed by a judge first.
"We really can't have this patchwork system anymore, where agencies get to decide on an ad hoc basis how privacy-protective they're going to be," says Nathan Wessler, an ACLU staff attorney specializing in privacy topics who obtained the documents through open government laws. "Courts and Congress need to step in."
The Justice Department's disinclination to seek warrants for private files stored on the servers of companies like Apple, Google, and Microsoft continued even after a federal appeals court in 2010 ruled that warrantless access to e-mail violates the Fourth Amendment. A previously unreleased version of an FBI manual (PDF), last updated two-and-a-half years after the appellate ruling, says field agents "may subpoena" e-mail records from companies "without running afoul of" the Fourth Amendment.
The department did not respond to queries from CNET Tuesday. The FBI said in a statement that:
In all investigations, the FBI obtains evidence in accordance with the laws and Constitution of the United States, and consistent with Attorney General guidelines. Our field offices work closely with U.S. Attorney's Office to adhere to the legal requirements of their particular districts as set forth in case law or court decisions/precedent.
Not all U.S. attorneys have attempted to obtain Americans' stored e-mail correspondence without a warrant. The ACLU persuaded a judge to ask whether warrantless e-mail access has taken place in six of the 93 U.S. Attorneys' offices -- including the northern California office that's prosecuted an outsize share of Internet cases. The answer, according to assistant U.S. attorney Christopher Hardwood, was "no."
Still, the position taken by other officials -- including the authors of the FBI's official surveillance manual -- puts the department at odds with a growing sentiment among legislators who insist that Americans' private files should be protected from warrantless search and seizure. They say the same Fourth Amendment privacy standards that require police to obtain search warrants before examining hard drives in someone's living room, or a physical letter stored in a filing cabinet, should apply.
After the IRS's warrantless e-mail access policy came to light last month, a dozen Republican and Democratic senators rebuked the agency. Their letter (PDF) opposing warrantless searches by the IRS and signed by senators including Mark Udall (D-Colo.), Mike Lee (R-Utah), Rand Paul (R-Ky.), and Ron Wyden (D-Ore.) said: "We believe these actions are a clear violation of the Fourth Amendment's prohibition against unreasonable searches and seizures."
Steven Miller, the IRS' acting commissioner, said during a Senate hearing that the policy would be changed for e-mail. But he left open the possibility that non-email data -- Google Drive and Dropbox files, private Facebook and Twitter messages, and so on -- could be accessed without a warrant.
Albert Gidari, a partner at the Perkins Coie law firm who represents technology companies, said since the Sixth Circuit Court of Appeals' 2010 ruling in U.S. v. Warshak, the Justice Department has generally sought court warrants for the content of e-mail messages, but is far less inclined to take that step for non-email files.
Before the Warshak decision, the general rule since 1986 had been that police could obtain Americans' e-mail messages that were more than 180 days old with an administrative subpoena or what's known as a 2703(d) order, both of which lack a warrant's probable cause requirement and are less privacy protective. Some e-mail providers, including Google, Microsoft, Yahoo, and Facebook, but not all, have taken the position after Warshak that the Fourth Amendment mandates warrants for e-mail all over the country.
The 180-day rule stems from the Electronic Communications Privacy Act, which was adopted in the era of telephone modems, BBSs, and UUCP links, and long before gigabytes of e-mail stored in the cloud was ever envisioned. Since then, the appeals court ruled in Warshak, technology had changed dramatically: "Since the advent of e-mail, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away... By obtaining access to someone's e-mail, government agents gain the ability to peer deeply into his activities."
A phalanx of companies, including Amazon, Apple, AT&T, eBay, Google, Intel, Microsoft, and Twitter, as well as liberal, conservative, and libertarian advocacy groups, have asked Congress to update ECPA to make it clear that law enforcement needs a warrant to access private communications and the locations of mobile devices.
In November, a Senate panel approved the e-mail warrant requirement, and acted again last month. Rep. Zoe Lofgren, a Democrat whose district includes the heart of Silicon Valley, introduced similar legislation in the House of Representatives.
The political pressure, coupled with public petitions and increased adoption of cloud-based services, has had an effect. In 2011, James Baker, the associate deputy attorney general, warned that requiring search warrants to obtain stored e-mail could have an "adverse impact" on criminal investigations. By March 2013, however, Elana Tyrangiel, an acting assistant attorney general, indicated that the department would acquiesce on some privacy reforms.
"They dropped their opposition in Congress, but they're going to try to wiggle out from under the Fourth Amendment whenever possible," says the ACLU's Wessler. "They probably realize that they couldn't figure out a way to respond to hard questions from Congress anymore."
Separately, the New York Times reported Tuesday evening that the Obama administration may embrace the FBI's proposal for a federal law mandating that tech companies build in backdoors for surveillance. CNET reported last year that the FBI has asked the companies not to oppose such legislation, and that the FBI has been building a case for a new law by collecting examples of how communications companies have stymied government agencies.
Last week, FBI former counterterrorism agent Tim Clemente told CNN that, in national security investigations, the bureau can access records of a previously-made telephone call. "All of that stuff is being captured as we speak whether we know it or like it or not," he said. Clemente added in an appearance the next day that, thanks to the "intelligence community" -- a likely reference to the National Security Agency -- "there's a way to look at digital communications in the past."