                     Little peepers everywhere
July 25, 2012

IN FEBRUARY 1928 the Supreme Court heard the
case of Roy Olmstead, whose conviction on
bootlegging charges relied on evidence obtained by
tapping his phones. Olmstead contended that this
violated the fourth amendment, which protects against
“unreasonable searches and seizures”. The court
disagreed: it held that the fourth amendment protected
Olmstead’s person, home and office, but that
telephone wires “are not part of his house or office
any more than the highways along which they are stretched.” As telephones became more common, the
Olmstead standard grew more untenable. It ended in 1967, when the court decided that fourth
amendment protections extend anywhere a person has “a reasonable expectation of privacy”. If police
wanted to wiretap a phone, they now needed a warrant, just as they would if they wanted to search a
                                          person’s home.
                                          But the warrant requirement applies only to the actual
                                          conversation, not to the numbers dialled from a phone.
                                          Tracking these numbers requires a “pen/trap” tap (pen
                                          registers track the numbers called out from a phone, trap-and-
                                          trace devices record the numbers calling in). In 2001 the
                                          Patriot Act allowed pen/traps to be served on internet-service
                                          providers (ISPs) as well, where they reveal e-mail senders
                                          and recipients, the size of each e-mail sent and received, the
                                          IP address with which a computer communicates and the sites
                                          visited while browsing the web. The standards for getting a
pen/trap approved are far lower than for getting a
wiretap. The Electronic Communications Privacy Act
(ECPA), which was passed in 1986 and remains the
main law governing access to electronic
communication, requires police only to certify to a
court that the information is relevant to an
investigation. For a wiretap, police must show both
probable cause and that “normal investigative
procedures have been tried and failed.”
Wiretaps, which have increased almost tenfold since
data was first reported in 1969, are only the tip of the
surveillance iceberg. In 2011 federal and state courts
approved a total of 2,732 wiretaps; but government agencies made over 1.3m requests for data to
mobile-phone companies. That figure includes wiretaps and pen/traps, but it also includes requests for
stored text messages, device locations and tower dumps, which reveal the presence of everyone—
suspects and not—within range of a particular mobile-phone tower at a particular time. Most of these
requests require no warrants at all. Sometimes all it takes is a subpoena from a prosecutor.
Internet companies have also seen a sharp rise in requests from law-enforcement agencies for
information about their users. Between July and December 2010 Google received 4,601 requests; in the
same period last year that number jumped to 6,321. Among the things that Google is typically asked for
are account information and location data. Twitter, a microblogging service, received 679 requests from
American authorities for information about users in the first half of this year, which is more than it got
in all of 2011. The firm says it complied with three-quarters of these requests, though it does not say
whether it handed over all or simply a fraction of the information requested in each case. Google,
which says it complied with 93% of the requests from American officials in its most recent reporting
period, is similarly vague about what it coughs up.
Web firms say that police tend to grab as much information as they can rather than targeting specific
items relevant to a case, so they have to vet requests carefully. Twitter is also pushing back in court.
Earlier this month a judge in New York ordered Twitter to hand over almost three months’ worth of
messages from a protester involved in the Occupy Wall Street movement accused of disorderly
conduct. Twitter opposed the request, arguing that its users have a reasonable expectation of privacy
(perhaps oddly, given that anyone can follow a twitterer). The judge disagreed; on July 18th, Twitter
                                                 The previous day, the American Civil Liberties Union
                                                 (ACLU) appeared in federal court to force the
                                                 Department of Justice (DoJ) to make public how often
                                                 it uses pen/traps. That would be a welcome
                                                 development. The eight mobile-phone companies that
                                                 were asked collectively for data 1.3m times last year
                                                 revealed that information by choice, in response to a
                                                 letter from a congressman who was prompted to inquire
                                                 by an article in the New York Times. The Pen Register
                                                 Statute, passed as part of the ECPA, requires the DoJ to
                                                 report its use of pen/traps to Congress. But it has
                                                 published no reports since 2009.
                                                 The ECPA could also do with a thorough scouring.
                                                 When it became law there were only 340,000 mobile-
phone subscribers in America, and the
internet was the province of hobbyists and
academics. Distinctions that made sense
then no longer do. E-mail is subject to
differing sets of protections when it is
being typed, sent and stored. A bank
statement printed out and kept in a drawer,
saved on a personal computer or stored in
a private e-mail account is also subject to
varying standards.
Metadata (the records of who people call
and e-mail, and when, as distinct from the
content of conversations) can now be
amassed on a vast scale, and run through
powerful software that can use it to create
a fairly complete portrait of a person’s life
and habits—often far more complete than just a few recorded conversations. It deserves more
protection than it now receives. And citizens, especially those suspected of no crime whose data is
gathered up in a dragnet, deserve more clarity on what law enforcement does with their data and how
long they keep it. Even with the best of intentions, the ECPA is almost impossible to apply consistently
or fairly. Such murkiness serves no one well.
Beyond such changes lies America’s vast national-security apparatus. Among the many expansions of
government snooping power contained in the Patriot Act after the attacks of September 11th, 2001, it
became far easier for the FBI to issue national-security letters, which compel service providers to turn
over vast amounts of data about the recipients of such letters without a court order. The FISA (Foreign
Intelligence Surveillance Act) Amendments Act allows intelligence agencies to eavesdrop on
communications between Americans and people overseas without a probable-cause warrant. FISA
investigations require an order from the FISA Court—which meets in secret, and in the 32 years from
1979 to 2011 rejected a grand total of 11 applications. They are subject to no other review.

