With tax day behind us, taxpayers may soon have something else to celebrate from the IRS. In testimony before the Senate Finance Committee today, IRS Acting Commissioner Steven Miller was questioned aggressively about documents released by the ACLU last week that indicate that the IRS does not think it needs a warrant to read all emails and other electronic communications during criminal investigations. Under pressure from senators, Miller agreed to update IRS policy documents within 30 days to state that a warrant is required for access to all emails, regardless of their age.
Two senators from opposite sides of the aisle, Senator Grassley (R-IA) and Senator Wyden (D-OR), pressed Miller about whether the IRS has sought or obtained emails without a warrant since a federal appeals court ruled in 2010 that a warrant is required for all emails. (You can watch the hearing here. Sen. Grassley’s questions start at 1:25:00 and Sen. Wyden’s questions start at 1:31:10.) They asked why the IRS seems to be ignoring that 2010 decision—United States v. Warshak—in most of the country, and advising its criminal investigative agents that emails stored on a server for more than 180 days can be obtained without a warrant. Surprisingly, Miller answered that the IRS follows Warshak across the country. That’s not what internal IRS documents and its public policy manual show, but if true it is welcome news. Importantly, Miller committed to clarify written IRS policy within 30 days to state that a warrant is always required.
Miller’s testimony leaves several important questions unanswered, however:
- Although Miller stated that the IRS Criminal Investigation unit obtains warrants for all emails, he did not discuss other forms of electronic communication such as text messages, instant messages, and direct messages on social media. Under the Fourth Amendment, a warrant should be required for those private communications as well.
- Miller stated that, to his knowledge, the IRS has not obtained electronic communications without a warrant in the past. But an internal IRS Chief Counsel Advice memorandum from 2011 reveals that, months after Warshak, IRS investigative agents requested emails from an internet service provider without a warrant at least once. The IRS should explain when it started following Warshak nationally, and whether it has sought or obtained emails without a warrant in the past.
We applaud Senators Grassley and Wyden for quickly taking up this important issue and getting an answer from the IRS, less than a week after the ACLU released the IRS documents. But while the IRS’s apparent change of policy is a step in the right direction, there is more for Congress to do. The current IRS policy manual relies on the outdated Electronic Communications Privacy Act (ECPA), which only requires a warrant for some emails and other electronic communications. In order to uniformly protect the privacy of Americans’ private communications, lawmakers must update ECPA to require a warrant for the contents of all electronic communications, regardless of age or other factors. Strong reform legislation has been introduced by a bipartisan group of sponsors, and is starting to make its way through the legislative process. Follow this link to urge Congress to modernize our electronic privacy law and close the loophole that’s letting the government access email and other electronic communications without a warrant.
- New Documents Suggest IRS Reads Emails Without a Warrant (alethonews.wordpress.com)
Everyone knows the IRS is our nation’s tax collector, but it is also a law enforcement organization tasked with investigating criminal violations of the tax laws. New documents released to the ACLU under the Freedom of Information Act reveal that the IRS Criminal Tax Division has long taken the position that the IRS can read your emails without a warrant—a practice that one appeals court has said violates the Fourth Amendment (and we think most Americans would agree).
Last year, the ACLU sent a FOIA request to the IRS seeking records regarding whether it gets a warrant before reading people’s email, text messages and other private electronic communications. The IRS has now responded by sending us 247 pages of records describing the policies and practices of its criminal investigative arm when seeking the contents of emails and other electronic communications.
So does the IRS always get a warrant? Unfortunately, while the documents we have obtained do not answer this question point blank, they suggest otherwise. This question is too important for the IRS not to be completely forthright with the American public. The IRS should tell the public whether it always gets a warrant to access email and other private communications in the course of criminal investigations. And if the agency does not get a warrant, it should change its policy to always require one.
The IRS and Email: Reading Between the Lines
The federal law that governs law enforcement access to emails, the Electronic Communications Privacy Act (ECPA), is hopelessly outdated. It draws a distinction between email that is stored on an email provider’s server for 180 days or less, and email that is older or has been opened. The former requires a warrant; the latter does not. Luckily, the Fourth Amendment still protects against unreasonable searches by the government. Accordingly, in 2010 the Sixth Circuit Court of Appeals decided in United States v. Warshak that the government must obtain a probable cause warrant before compelling email providers to turn over messages.
However, the IRS hasn’t told the public whether it is following Warshak everywhere in the country, or only within the Sixth Circuit.
The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.
Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.
Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchange in mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was not.
The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.
The first indication that the IRS was considering the effect of Warshak came in an October 2011 IRS Chief Counsel Advice memorandum available on the IRS website but not provided in response to our FOIA request. An IRS employee sought guidance about whether it is proper to use an administrative summons, instead of a warrant, to obtain emails that are more than 180 days old. (The emails in question were located on an internet service provider’s (ISP) server somewhere in the territory covered by the Ninth Circuit Court of Appeals). The memo summarized the holding of Warshak and advised that “as a practical matter it would not be sensible” to seek older emails without a warrant. This is good advice, but the memo’s reasoning leaves much to be desired. The memo explained that Warshak applies only in the Sixth Circuit but that, because the ISP had informed the IRS that it did not intend to voluntarily comply with an administrative summons for emails, there was not “any reasonable possibility that the Service will be able to obtain the contents of this customer’s emails . . . without protracted litigation, if at all.” Any investigative leads contained in the emails would therefore be “stale” by the time the litigation could be concluded, making attempted warrantless access not worthwhile.
The memo misses another chance to declare that agents should obtain a warrant for emails because the Fourth Amendment requires it. Instead, the memo’s advice (which may not be used as precedent and is not binding in other IRS criminal investigations) is limited to situations in the Ninth Circuit where an ISP intends to challenge warrantless requests for emails. The IRS shouldn’t obey the Fourth Amendment only when it faces the inconvenience of protracted litigation; it should recognize that the Fourth Amendment requires warrants for the contents of emails at all times.
Finally, to the present: has the IRS’s position changed this tax season? Apparently not. The current version of the Internal Revenue Manual, available on the IRS website, continues to explain that no warrant is required for emails that are stored by an ISP for more than 180 days. Apparently the agency believes nothing of consequence has changed since ECPA was enacted in 1986, or the now-outdated Surveillance Handbook was published in 1994.
The IRS Owes the American Public an Explanation—and a Warrant Requirement
Let’s hope you never end up on the wrong end of an IRS criminal tax investigation. But if you do, you should be able to trust that the IRS will obey the Fourth Amendment when it seeks the contents of your private emails. Until now, that hasn’t been the case. The IRS should let the American public know whether it obtains warrants across the board when accessing people’s email. And even more important, the IRS should formally amend its policies to require its agents to obtain warrants when seeking the contents of emails, without regard to their age.
(We also sent FOIA requests to the FBI and other components of the Department of Justice—we will be receiving records from those offices in the coming weeks).
- Like rest of the feds, the IRS can get your e-mails with no problem (arstechnica.com)
- When a Secretive Stingray Cell Phone Tracking “Warrant” Isn’t a Warrant (alethonews.wordpress.com)
Two Out of Every Three US Demands to Google Come Without A Warrant
This morning, Google released their semi-annual transparency report, and once again, it revealed a troubling trend: Internet surveillance around the world continues to rise, with the United States leading the way in demands for user data.
Google received over 21,000 requests for data on over 33,000 users in the last six months from governments around the world, a 70% increase since Google started releasing numbers in 2010. The United States accounted for almost 40% the total requests (8,438) and the number of users (14,791). The total numbers in the US for 2012 amounted to a 33% increase from 2011. And while Google only complied with two-thirds of the total requests globally, they complied with 88% of the requests in the United States.
Admirably, Google expanded their transparency report this time around, providing more detailed information about what kind of requests they get from the US government—specifically the type of requests they get under the main email privacy law in the US, the Electronic Communications Privacy Act (ECPA).
EFF has long criticized ECPA for not providing email with the same warrant protection as the Fourth Amendment gives to physical letters and phone calls. The Justice Department believes that it doesn’t need a warrant for emails over 180 days. Google’s lawyers, to their credit, have criticized the law as well, saying just this week, “our view is that [ECPA] is out of compliance with the Fourth Amendment because the government can call for the production of your data without a search warrant.”
This week, EFF – along with a host of other civil liberties groups – are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. Here is everything you need to know about the bill and why we are protesting:
What is “CISPA”?
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated [link] and the actual bill language is in flux.
Under CISPA, can a private company read my emails?
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers’ needs to protect their rights and property with their subscribers’ right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
What would allow a company to read my emails?
CISPA has such an expansive definition of “cybersecurity threat information” that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Under CISPA, can a company hand my communications over to the government without a warrant?
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Under CISPA, what can I do if a company improperly hands over private information to the government?
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;
(II) knowingly without legal or factual justification; and
(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
What government agencies can look at my private information?
Under CISPA, companies are directed to hand “cyber threat information” to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.
Can the government use my private information for other purposes besides “cybersecurity” once they have it?
Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.
Can the government use my private information to go after alleged copyright infringers and whistleblower websites?
Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”
The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.
A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.
What can I do to stop the government from misusing my private information?
CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above. But any such lawsuit will be difficult to bring. For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government.
Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.
Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.
In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.
Why are Facebook and other companies supporting this legislation?
Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.
Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.
What can I do to stop this bill?
It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.
- Worse than SOPA? CISPA to censor Web in name of cybersecurity (alethonews.wordpress.com)
- Facebook defends CISPA support, completely misses the point (digitaltrends.com)
- What You Need to Know About CISPA (readwriteweb.com)
- What Facebook Wants in Cybersecurity Doesn’t Require Trampling On Our Privacy Rights (eff.org)
- Say ‘hello’ to CISPA, it will remind you of SOPA (news.cnet.com)