The article is somewhat confusingly worded. Under the ECPA (passed in 1986), a warrant is required to access email less than 180 days old. Back in the days of POP email, when the user checked his email, it would be downloaded and deleted from the server. So the reasoning was that an email still on the server more than 180 days had been "abandoned" there by the user. What this bill does is apply the warrant requirement to emails older than 180 days as well. So the net effect is that accessing any email will now require a warrant.
When the NSA intercepts it on the wire, under the presumption of investigating international terrorists (presumably in near-real-time) and the then shares it [0] with domestic three-letter-agencies, does it matter that they need a warrant to get it from "provider" (Google, etc.)?
This law applies to all email communications, including those between U.S. persons. The article you linked to talks about incidental data about U.S. persons collected by means other than "from a wire on American soil." Specifically, the NSA collection extends to:
> [The] contents of the phone calls and email the security agency vacuums up around the world, including bulk collection of satellite transmissions, communications between foreigners as they cross network switches in the United States, and messages acquired overseas or provided by allies.
Intelligence Authorization Act for Fiscal Year 2015: section 309 [0]
"A covered communication shall not be retained in excess of 5 years, unless ... (iii) the communication is enciphered or reasonably believed to have a secret meaning;"
That does not refute my point above. Section 309 only applies to incidentally acquired communication that is collected via the routes mentioned above. It does not allow the NSA to collect traffic between domestic endpoints just because it is encrypted.
"covered communication" is defined in the prior page (309.a). The definition stands alone, regardless of how "incidentally" appears on the same page, it makes no reference to proceeding limitation or definitions.
"...any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage."
You don't ignore section headings when reading laws. Besides that, nothing in that section discusses granting authority to collect "covered communication." The section is discussing the retention policies of communications collected by some authorized manner.
> You don't ignore section headings when reading laws.
You do when you are interpreting the laws. They're labels that carry as much weight as subsection markers. To say otherwise would imply that the "Patriot Act" by another name would be interpreted differently, or that bullet point "1" is more important that "2".
> nothing in that section discusses granting authority
Correct, it is a direction to those that already have such authority. While I enjoy the legal equivalent to the underhanded C contest as much as the next guy, the events that spawned this legislation make debating the finer points of section headings seem pretty silly.
You might recall that the NSA has a curious definition of "collect". They use "collect" where most of us would use "search the existing massive database that we already collected".
Regardless of how you feel about a polarizing issue, I don't think anybody on any side has ever claimed that. Pretty big thread derail risk with this one, too.
Wow, well let me ruin your day: you are wrong. Intelligence Authorization Act for Fiscal Year 2015: section 309.
"A covered communication shall not be retained in excess of 5 years, unless ... (iii) the communication is enciphered or reasonably believed to have a secret meaning;"
I'm actually not, and 'rayiner is doing a pretty good job of explaining why in the second place you cited that law (for some reason), so I will not repeat that thread derailment.
Yeah, discussing domestic surveillance legislation in a thread linked to an article covering the latest domestic surveillance legislation is way off topic.
A serious question here: has anyone reading this been arrested, prosecuted or otherwise harassed because of email contents obtained by the NSA? I am not in favor or warrantless searches, but it feels more and more like the tech community treats the NSA like Eastasia.
It's very hard to say, because of the use of parallel construction. We know very little about what the NSA does with its data; even members of Congress are being denied access to this information. But we do know for a fact that the DEA has prosecuted people based on information they received from the NSA.
Tech people should be concerned about this because we are the ones with the knowledge necessary to do something about it. Because there's no transparency, it's impossible to tell how many people have been harmed by the violation of their privacy. It may be that nobody here is in that group: hacker news readers are probably mostly white and upper-middle class, not usually a target demographic. But if we don't do something about invasions of privacy, no one will, because no one else is capable.
You appear to be ignoring the fact that even if you consider the NSA's work benevolent, it is only benevolent to US citizens. Meanwhile lots of us on here are, in fact, not US citizens, especially at this time of day. So the NSA's activities are all negative, no positive to non-Americans.
Hm, kinda strange, I was always under the impression that we didn't quite yet have a public consensus that there's an expectation of privacy in email. Like, not everyone really expects that a given email won't be read by some third party.
>Hm, kinda strange, I was always under the impression that we didn't quite yet have a public consensus that there's an expectation of privacy in email. Like, not everyone really expects that a given email won't be read by some third party.
Never understood those US ideas on such matters. Nobody would want/expect/wont be furious to find out their two party communication was read by somebody else who wasn't meant to get it (and I don't mean show to some third person by your correspondent).
It's not gauging the public belief/sentiment on the matter, but BS ad-hoc "interpretations" of legacy laws allowed courts/pundits to even make such inane claims that people don't expect privacy for their mails.
If we're talking about expectations, then how about them asking people what they expect DIRECTLY (eg with a state/national poll) instead of some court deciding.
I think you fail to account for the fact that we are talking about Constitutional issues. We are not talking about what is an appropriate level of privacy protection under the law. We are talking about what is the minimum standard where a 200-year old document trumps the policies of a democratically elected government.
We are also deciding that question on the basis of a phrase ("reasonable expectation of privacy") that doesn't even appear in that 200 year old document.
That 200 year old document IS the policy of a democratically elected government. The age of the document has no relevance. It's just as valid today as it has ever been.
Well, I wouldn't put much emphasis on "democratically elected government".
Between gerrymandering, faulty or "faulty" voting machines, modern campaign practices that require millions of dollars to run and stick your "branding" to the minds of voters,
and even more important, a system that pretty much guarantees no-one can rise to validly compete grass-roots unless they belong to the two parties -- it's nothing to write home about.
That a 200+ year old document is held as some kind of "holy scripture" of governance and that centuries old dead statesmen are seen in a romantic light as "founding fathers" and guiding spirits (paternalism much?), is even less indicating of a rational modern democracy.
I was being sarcastic, since everyone knows exactly how people would react to their emails being read by an unattended human, and exactly how much privacy the typical person expects, but Poe's Law and all...
Yes in this case you were too cool for school. You gotta give us some hint. Look at poor 'rayiner up there, sincerely defending your sarcastic proposition!
We don't.[1] But expectation of privacy is a 4th amendment concept. Congress can extend greater protections to email by statute than the Constitution requires.
[1] In fact, I think it's ridiculous to say that there is an expectation of privacy in something like GMail, which a third party not only can read but actively mines for personal data about you.
I think it's perfectly reasonable to expect that only Google has access to your stored emails. Not just any government agency whose lawyer drafts a letter.
Would you permit the government, or any random person off the street to remove money from your bank account, just because you've authorized your bank to do so?
Snail mail is also sent by postmen (who can open and read it, or just read it if its a postcard), and telegraphs (still a thing?) are dictated to someone. That doesn't mean people expect or would like having them read by a non-involved person, outside of those necessary reasons for their delivery.
If "expectation" is the criterion, how about actually asking people what they actually expect with a poll of sorts?
The whole "expectation of privacy" as a metric is bogus.
Then again, those are the same people who read gun laws regarding "militias" as valid for 20-21st century individuals (and I'm not saying this as someone anti-gun -- just that, if you like guns and want them, just pass a law saying that, not use some 3 century old unrelated law as an excuse with all the pomposity of the Supreme Court, as if some redneck with a liking for guns is part of a "well regulated militia").
By "gun laws regarding militias" I assume you mean the Second Amendment itself -- few statutes concerning or mentioning militias are used to justify general gun use, but the 2A is and there's an important reason why:
The founders envisioned a nation of citizen-defenders equipped and trained to protect their homes, farms, and neighborhoods from incursion by enemies, foreign or domestic. The Constitution states that the right to keep and bear arms is a prerequisite for a well-regulated militia, not the other way around. And it draws on prevailing notions from English law at the time (the UK, like the USA, didn't start moving to abolish or restrict gun rights until the beginning of the 20th century or thereabouts). This is more than some old, unrelated law; it is the supreme law of the land. If you do not think that it is applicable in the modern era, the solution is to agitate for repeal of the 2A, not to pretend that it doesn't exist or has been outmoded and complain when people act like it still is valid, active, enforceable law.
I'm not even speaking as someone who favors guns. But the Constitution is what it is, and if we don't like it we change it. If the government can get away with ignoring the Second Amendment and deciding it's no longer relevant, think of what they might do to the First Amendment. Or the Fourth. Or the Fifth. Or the Eighth. Or the Thirteenth.
>The founders envisioned a nation of citizen-defenders equipped and trained to protect their homes, farms, and neighborhoods from incursion by enemies, foreign or domestic. The Constitution states that the right to keep and bear arms is a prerequisite for a well-regulated militia, not the other way around.
It doesn't just state that the right to bear arms is a prerequisite for a well-regulated militia.
It also uses the need of a militia as the _justification_ for that right.
It says: "A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed."
This means that the right to bear arms is not an end in itself -- it's justified in as much as it's a first step to a well-regulated militia.
In an era without well-regulated citizen militias (except the National Guard, for which different guard laws apply anyway), there's no reason to hold the right to keep arms anymore.
So, yes, arms are a prerequisite to such militias -- but (the arms) are only asked to be respected as a right precisely because they are such a prerequisite -- and not for another reason.
Which makes the justification for guns and militias reciprocal. Without militias, and no role for them, no reason for the former either.
>But the Constitution is what it is, and if we don't like it we change it. If the government can get away with ignoring the Second Amendment and deciding it's no longer relevant, think of what they might do to the First Amendment. Or the Fourth. Or the Fifth. Or the Eighth. Or the Thirteenth.
I find keeping the "right to bear arms" in an era for which the justification for doing so given in the Constitution has expired, as the government already violating the spirit of the 2nd Amendment (to favor gun lobbies and such).
E.g. that reading of the 2A is a selective reading that upholds the letter while violating the spirit of it, from politically appointed and non impartial judges.
But the Constitution contains no qualification on the right to bear arms. It just says that right shall not be infringed. As long as that's standing law, any judge with a 2A case before them is going to look at the text of the Constitution and the Heller decision and rule that the Constitution protects an unqualified right to keep and bear arms. And anti-gun politicians are not going to get the Australia style total bans and confiscation sweeps they've been hoping for. The most they'll get is bikeshedding about the definition of an "assault weapon" and the like.
If what you say is true, and the militia is of no concern to us today, it should be easy enough to get an amendment passed that removes or curtails the right unconditionally protected by the 2A. It could even just be put out there and float around for as long as it takes the states to ratify it, like the 27th amendment did for centuries.
> It also uses the need of a militia as the _justification_ for that right.
If you believe the comments and the code are out of sync, change one. There's a patch procedure built in. Changing the interpreter to make the output match what you think the comment is saying while leaving the actual instructions intact just increases (tech / legal) debt.
The concepts behind "well regulated militia" are still used to formulate regulations on weapons. In general, it's legal to buy the same gear infantrymen use. Scary black guns with ridiculous rails and accessories, knock yourself out. Sawed off shotguns, not so much.
Precisely. The anti 2A crowd throws a fit when one of their cherished amendments is attacked, but every amendment has equal validity. The first, for example doesn't separate church and state in as much as it prevents the state from establishing a religion (such as the Church of England.)
I am fine with separation of church and state, however the Constitution doesn't actually say that.
If we are to play contextual games (i.e. the militia context,) then that same contextualization would apply to the Church of England context of the first amendment.
I'm afraid there's no point in explaining this kind of stuff here. The prevailing opinion on HN is leftist. Few people are even willing to argue rationally, and since vitriol isn't tolerated, people just silently downvote, sweeping contrary views under the rug of grayness. The downvoters are drawn to grayed-out posts like sharks who smell blood in the water: a swimmer with a small cut soon attracts a school of sharks that massacre him, leaving nothing but an empty space where a comment once was. It's sad, and every time I see it, I question why I even have an account here.
The whole expectation of privacy metric is bogus. It was a gloss added to the 4th amendment by a liberal court. Its not in the text.
As for our deference to this centuries old document: we do it because the Constitution is the only thing that overcomes the democratic will. When the Supreme Court struck down bans on interracial marriage as unconstitutional, the vast majority of Americans were opposed to it.
> The whole expectation of privacy metric is bogus.
Yes and no.
"[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches..." can very reasonably be read as an expectation of privacy. "The government will not, without due cause, search your papers and effects" is a very fair paraphrasing.
Actually it would be a bit more accurate to say the bill completely eliminates any 180 day distinction.
Current law:
"A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section."
18 U.S. Code Β§ 2703(a) - https://www.law.cornell.edu/uscode/text/18/2703
Bill replaces with:
"Except as provided in subsections (i) and (j), a governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication that is in electronic storage with or otherwise stored, held, or maintained by that service only if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) thatβ
(1) is issued by a court of competent jurisdiction; and
(2) may indicate the date by which the provider must make the disclosure to the governmental entity.
In the absence of a date on the warrant indicating the date by which the provider must make disclosure to the governmental entity, the provider shall promptly respond to the warrant."
H.R.699 β 114th Congress (2015-2016) - https://www.congress.gov/bill/114th-congress/house-bill/699/...
So this passed unanimously in the House, and is supported by more than 25% of Senators.
But it might not pass the senate because Grassley doesn't want to discuss it "during an election year"? WTF?!? Where's the controversy? This sounds more like an opportunity for a big bi-partisan win that everyone in both parties could brag about.
IMO, there is not much difference in regulating public stock and public debt. If SpaceX wants to borrow from bank of America fine, but if they want to issue trade-able bonds and borrow from John Q Public that's a separate thing.
PS: Arguably this is the same reason banks are regulated.
Obama, Sanders and Clinton didn't want to discuss encryption around election year either. They knew their constituents are divided on it and that might give Republicans a stronger position.
I believe that's why Congress wouldn't give the FBI a law to mandate that companies decrypt data. And, it sort of explains why Sanders and Clinton both said they sought "middle ground" regarding encryption and then never spoke about it again
If you've already made up your mind to do something that pisses off a lot of your constituents or your party's constituents, you should avoid discussing it during an election year. It's too bad, since more debate would've been more educational for everyone, but it is what it is. Politicians can choose what they want to talk about just like we can.
Its release was delayed. It was meant to come out last year. It didn't get released until after the Democratic debates, and even now it's only in draft form.
Cool. I'm not you. "Wouldn't give" and "did not pass last year" are equivalent to me. Everyone understands Congress must vote on ideas periodically and what I wrote is shorthand for that.
Nope, I'm not. Congressmen discuss bills with each other before releasing. They usually won't come out with something unless there's some support. Obama's been asking for this legislation since Cyrus Vance's whitepaper in November 2015 [1]
For further play-by-play you can skim the white house daily briefings for references to encryption and/or feinstein over the last few months [2].
Have you seen the Senate recently? Grassley is a Republican, and the current MO of the Republican Senate is to do absolutely nothing, no matter how uncontroversial, until the Evil Tyrant Obama is finally defeated.
I was absolutely astounded when I looked up the bill and found my representative (http://yoder.house.gov/) introduced the bill. I probably come down on the opposite side of him on most issues, but kudos to him for his work on this one.
Jared Polis is one of us and got his start in life running an ISP, if I recall. A friend of a friend of a friend ran into him in a League game, allegedly. I'm not surprised.
My knowledge of US criminal law is limited to what I've grokked from watching crime tv shows, so I'm not clear on the definitions of some terms.
Does a search warrant imply that the person being searched will be notified? I know that a court has to approve the request, but wanted to confirm if it means that the person under suspicion is informed. The way the article contrasts this new law to the current ECPA seems to suggest this is the case.
Additionally, the article mentions requests made to service providers. What if I host my own server? Is it just a case of the law agency making the request to my hosting company, or are they required to contact me to get the information?
No notification needed (just like you wouldn't tell someone you were tapping their phone) - though the HR669 writers wanted to include a clause that would make that required too. It got stripped out in committee.
Self-hosted stuff is an interesting question. You might be able to plead the fifth, but I really have no idea.
If you host your own private server, from what I recall reading (and looks consistent with a cursory Google search), a warrant is required to review your emails.
Edit: looks like it only applies to in-home servers, not hosted ones.
Business doesn't care about privacy, until business realizes that the mechanisms used to hunt for terrorists are also used by the IRS.
It will be interesting times for "the cloud" when business realizes that investigations and subpoenas are transparently happening in the background, without the heads-up of marshalls at the doorstep.
This will only hurt small to mid-sized businesses like every other piece of legislation or trade regulation. The fine print so small it's invisible: "Does not apply to the oligarchy."
Endorsing a piece of legislature is very different than actually voting on it. There's a lot of political back and forth for every bill that passes and endorsement is just an early phase when the whips start gathering numbers for who supports a given bill vocally and officially. This will put pressure on the comittee to put the bill on the floor as soon as possible and with little modification.
Once it's slated for the floor vote, the whips and bill sponsors (even more involved than endorsement) will round up the rest of the votes including those who would have voted yes anyway, but couldn't endorse or sponsor for political reasons, and those who need to be convinced through favors and whatnot. Remember, senators are elected by all districts in a state so they have to be more careful politically.
Given the relative difficulty that privacy bills face in Congress, one wonders what kind of vested interests are at play here. Skeletons in the closet?
In the 113th Congress, it looks like the House of Representatives had 95 unanimous votes, where unanimous is defined as having zero no votes and at least one yes vote. This is out of 1204 votes, based on a quick little script I whipped up.
Cool. Thanks. It's the definition of unanimous that's a little fishy. I thought it meant everyone voted Yes for it whereas even a 1 to 0 vote could pass as unanimous, right?
That's why we have a quorum. Half of all seated Senators (51) are required to be present for the Senate to do business. For a House with no vacancies, half means 218 Representatives.
So you're right; fishy "unanimous" votes can and do happen. A controversial measure might pass unanimously in a legislative body because all the opposition walked out in protest. This happened about a month ago in the 50-seat North Carolina Senate, which is dominated by Republicans. [1]
"Yes, we need to read all emails to keep America safe."
whisper whisper from a staff aid
"WHAT? You mean Jenkins down at NSA, Sally at FTC, Bob at FBI, any of them can read MY emails any time and I'd never even know it!? We must do something!"
The defense I kept telling Schneier et al to post, but haven't seen, is how susceptible our dirty Congress is to blackmail. Probably have to be a closed session to get the honesty there. We can present it less like they're scumbags and more like "we know how the world works so let's be real about risk to you and therefore rest of us." I heavily pushed on different blogs extrapolating the Hoover precedent to NSA-level capabilities.
I think it's the best route as it's in their self interests. I think getting the business and international elites on board might be helpful as well. Unfortunately, they often push for surveillance or police states since they're good for business at various levels. However, even a minority push might hold back the worst legislation while letting whatever passes contain a loophole big enough for them and maybe some of us. Plus, they have the money to fund key solutions in the stack.
So, those are two ideas I've pushed in the various debates.
Home email servers require a warrant. It's third-party email servers, or even third-party hosts, that this is addressing. That is assuming my past understanding is correct. It should be unconstitutional as it stands now, as anything password-protected whatsoever should ideally fall under reasonable expectation of privacy.
What's the process in the US to undo/invalidate a law? Is it the same as in other countries, where you'd go through the supreme court? I stated this in another post yesterday, but I firmly think laws may only be passed after a long >=5 years process and those pushing for the same law repeatedly in disguise need to be penalized or precluded from doing so. We see so many things get blocked due to popular outcry, to just be hidden inside trojan package and passed as a side note.
It requires Congress to pass a new law repealing the old; alternatively the Judicial Branch can invalidate the law as well, which would culminate at the level of the US Supreme Court.
If you live in the United States and want to voice your opinion with your senator, http://www.digital4th.org/ has a tool that provides a template along with contact links to the senators for your state.
This is only for Americans right? And what if I run my own email server? Can I be forced to hand over my own emails after 180 days? Are they allowed to hack the server in my basement?
I'm pretty sure they don't need a warrant for obtaining emails for international citizens. Also, this bill doesn't seem to protect for non-warranted snooping by NSA.
