Court Upholds Warrantless Internet Snooping

amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.

Re:And what happened

They're saying that those don't apply in this case because they're not tapping wires, they're looking at logs.

More specifically

[Shadow+Wrought]

They are allowed to look at the sender information on your e-mails and domain of websites you are looking at. The contents of the e-mails and which pages of a website, ie the URL, are still off limits.

Ninth Circuit

Circuit Courts of Appeals only have jurisdiction over cases arising in their proper Circuit. This decision is not applicable anywhere but the Ninth Circuit.

http://upload.wikimedia.org/wikipedia/commons/thum b/d/df/US_Court_of_Appeals_and_District_Court_map. svg/620px-US_Court_of_Appeals_and_District_Court_m ap.svg.png

Editors, please.

Misleading Summary

[logicnazi]

What the ruling held was that the header information of your email (and web browsing I believe) is subject to exactly the same standards as the information about what phone numbers you dial. Mostly this seems like an appropriate and totally correct extension of offline legal standards to the online world. The only reason that it is more problematic is that an email header includes things like the subject which contains a little bit of the content.

Still all things considered this seems like the correct rule. Subject lines don't contain that much information and if you are concerned you can just use an unrevealing subject. Moreover, we already contemplate the possibility that someone who happens to glance at the recipients screen might notice the title so it really doesn't seem like we have the same expectation of privacy for the title of the message as we do for the body.

Anyway for a better more interesting discussion about this case you can check out Orin Kerr's comments over at the Volokh Conspiracy.

How this mess developed

[Animats]

This mess developed over time.

All this stems from a distinction in wiretap law that goes back to the dial telephone era. Listening to voice requires a warrant, because that info belongs to the parties of the call only. But information used by the telephone company itself to route the call, like dial digits, can be requested from the telephone company. A "pen register" was classically a little electromechanical gadget that recorded dial pulses as dashes on a paper tape. There was no way to extract voice info with a pen register.

Then came Touch-Tone. Now the switching data was in the voice channel. After some court decisions, it was established that listening to the voice channel and extracting tones was OK, if done with "minimal" access to the voice channel.

Over time, this led to the "pen register" exception being extended to content the telco didn't process, including tones sent during a call to third-party services like voice mail, packet headers, E-mail headers, cellular location data, etc. Then came a "lower standard for stored messages", which included SMS messages and E-mail. Then came bulk interception via CALEA. Then the Patriot Act.

/me brags about Canada

[Schraegstrichpunkt]

In Canada, the police need a warrant (CanLII link) to get a dialled-number recorder placed on someone's phone (though apparently such a warrant is easier to get than a wire-tapping warrant), so extending this to the Internet wouldn't really be all that scary.

I think Quebec's general unwillingness to trust the federal government probably helps a lot here.

Re:Address implies content

[Anonamused+Cow-herd]

Hmm. Turns out the SF gate article is misleading. Disregard the above. http://blog.wired.com/27bstroke6/2007/07/appeals-c ourt-r.html

Re:Address implies content

[Wrath0fb0b]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here. Heavens I wouldn't want the feds to know I had visited http://mail.google.com/mail/ or https://www.paypal.com/us/cgi-bin/webscr?cmd=_acco unt - then they could figure out all my email and PayPal transactions! Address only implies content for publicly available resources - resources in which you have no reasonable expectation of privacy. If you want to keep something private, stick a login screen in front of it or encrypt it.

As far as your statement that this "search" (which it isn't) is unconstitutional, I defy you to show me where in the constitution the government is restricted from determined to whom a person is writing letters. We are guaranteed privacy for the content of the letter not anonymity in writing letters. These are not synonymous! The constitution is a very specific document - please do not pretend that it forbids practice X just because you think X is incompatible with your normative view of a free society.

Re:Address implies content

[Kadin2048]

The GP was wrong in his interpretation of the court's decision.

They actually realized that a log of IP addresses and a log of URLs are two very different things, and convey different levels of information. This was actually mentioned in a footnote (quoting from the Wired article):

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed.

An example is the difference between a log that shows "http://en.wikipedia.org/wiki/Surface-to-air_missi le, http://en.wikipedia.org/wiki/Missile_guidance" and one that shows "http://66.230.200.100". The latter is analogous to the numbers I'd dial into a phone in order to connect me to someone; the former is more indicative of the content of the communication.

Furthermore, just because a resource is "publicly available" doesn't mean that there's "no reasonable expectation of privacy." I expect that my Wikipedia browsing habits are between me, my ISP, and Wikipedia (and anyone else snooping on the line), likewise, although my Google searches are sent via GET URLs, that doesn't mean that they're public. (Particularly given that there's no alternative method, at least that I'm aware of, to use most search engines.) Libraries are public, also, but that doesn't mean that everyone's records are public information.

Re:And what happened

[mysidia]

But the logs they are looking at are generated by equipment that taps into the wires. And the contents of the logs are not public knowledge, the contents of the second inner envelope are a private matter between a user and their service provider.

They are much more detailed than a list of phone numbers called. They are much more detailed than the address on an envelope.

The logged URL provides more information than the destination address on the packet.

In fact, even knowing that what was sent was a TCP/IP packet requires much more information than merely the source and destination of a Link Layer Packet.. the rough equivalent to a "Pen Register" for Ethernet is discovering a source and destination MAC Address sent over a certain wire, which is fairly uninteresting -- in fact, there is no precise equivalent to a PEN Register, because the header of the MAC frame is indistinguishable from the data signal, and it is not sent at a different frequency, it is necessary to listen on the actual content to hear the headers.

No PEN register is feasible for Ethernet, _without_ examining the data. If dialing signals were indistinguishable from the conversation on ordinary lines, do you suppose PEN registers would ever be allowed in the first place?

If you use the logic that "It's not wires, it's logs" to say it's not wiretapping, then any voice conversations can potentially be monitored, the only thing that needs to stop them from being considered "wiretapping" is to record the conversation, law enforcement agencies could then partner with major telcos, and arrange for them to "log" random bits and pieces of the PCM data for later review.

Think of a web connection as mailing a friend a letter that contains their address, but inside this outer envelope there is one or more second "inside" envelope that the friend has agreed to mail out. Then the address on these second "inner envelopes" is not public knowledge, and it cannot be easily seen by anyone other than the recipient of the outer envelope.

You can have several nested layers of envelopes -- then only the final recipient knows the real destination address (and that there are not more envelopes to be sent out to other addresses).

The first few envelopes are for your ISP's eyes only.. your ISP is a party to this conversation.

The next envelope (the actual TCP/IP packet contents) is for a destination host's eyes only.

Followed by the HTTP envelope which is for the web server's eyes only.

The contents of the innermost envelope are a private matter between a user and the TCP/IP service the user has connected to.

You can certainly listen in on these conversations if you are not the destination, such as packet sniffing, or by inserting a firewall or switch that digs in deeply and logs things.

But to not consider all these activities "tapping" the wire for the purposes of wiretap law is scary, since it in effect means monitoring can be accomplished on a packet switched network without it being considered wiretapping.

All you have to do is convince an interim provider to log packets as they are forwarding them to another agent. The fact that they only arbitrarily log the URL (which generally provides enough information to re-construct what the user saw), doesn't mean they can't in the future log more.

Chances are good these logs (especially for e-mail) also provide information on the unique message id and content length, which can also be used to discover (or verify) the contents of a message matches a candidate specimen [i.e. can confirm the message received was X].