Privacy SOS

Above: the cover of the administrative subpoena the DA of Suffolk county's office sent to Twitter seeking records related to Occupy Boston in December 2011.

When the government wants to listen in on your phone calls, it needs to take an oath to a judge affirming that it believes you are involved in criminal activity. If the evidence looks good, the judge will provide it with a warrant. When everyone used land lines to communicate, this system worked.

But now that most people travel with and use their mobile phones everywhere they go, law enforcement's interest in our telephones has changed substantially. Many times the actual spoken words — the content — of telephone conversations is less useful to investigators than are the transactional details of the calls you make. Transactional records, also called 'metadata', show the GPS location from where calls were made, the numbers called, and the dates and times the phone was used. Email metadata reveals the information in the 'To', 'From', and 'CC' fields, as well as the time and date when the email was sent, and the IP address assigned to the computer that sent it. This information, held by third parties like phone and internet companies, can often tell law enforcement a lot more than they'd be able to discern by listening to what you say over the phone. Unlike us, metadata doesn't lie. And unfortunately for our privacy rights, metadata is also a lot easier for police to access.

In place of asking a judge for a warrant, federal and increasingly state and local law enforcement only need a subpoena in order to compel telecommunications companies (or banks, or even pharmacies) to hand over your private information. An administrative subpoena is simply a piece of paper that a prosecutor fills out and hands to the holder of records. No judge is involved in this process, and prosecutors can obtain this information about us even if they have no evidence that we've broken the law.

When testifying before Congress, Ava Cooper Davis, Deputy Assistant Administrator of the Office of Special Intelligence at the DEA, explained how her agency obtains records using subpoenas:

When a criminal investigator acquires a telephone number for which the subscriber information is not immediately known, the investigator must first identify the telephone company (e.g., Verizon, Sprint, AT&T, etc.) that owns or controls that number. Once the telephone company is identified, the investigator will obtain an administrative subpoena, requesting subscriber name, billing information, and telephone toll records for a specific time frame.

Administrative subpoenas differ from traditional warrants because they are issued by agencies, not judges. Subpoenas are official letters demanding something of the target, either a demand that the target testify or that the target hands over something tangible, like phone records or a computer. Unlike warrants, subpoenas do not need to be based on evidence that there is probable cause to suspect a crime has been committed.

One of the reasons courts have allowed subpoenas without evidence of probable cause is because the subpoenas are issued directly to the holder of the records or to the person whose testimony is sought, and not seen as intrusive as search warrants executed by law enforcement. The legal framework governing access to our metadata wrongly assumes that content is automatically more revealing, and thus deserving of more protection. But metadata reveals the content of our lives, in a way that even content sometimes doesn't.

Making matters worse, when prosecutors issue administrative subpoenas to telecommunications or other third party information holders, the actual subject of the investigation often remains unaware of the intrusion into their private life, because they do not possess their own records — the companies do. Something in legal precedent called the “Third Party Doctrine” says that, as soon as you give records over to a third party, you lose your right to defend them from the government's sticky fingers.

Often the subpoenas ask that the company holding the records not disclose to the target, or the user, that their information is being subpoenaed. That was the case in December 2011 when the Sufflok county DA office in Boston requested information on Occupy Boston affiliated Twitter accounts. Twitter, acting responsibly as it has done in the past, did not comply with the DA's request and notified the users.

Twitter is an outstanding member of the corporate internet community in this regard, but other companies don't appear to make much of an effort to even inform people when the government requests their records.

In order to fix this problem, we need to update both state and federal law to reflect the kinds of communications technologies we use today. The subpoena model for call records may have sufficiently protected our rights in the 1980s, but it does not suffice today. Investigators can learn too much about our private lives simply by filling out a piece of paper and submitting it to companies that maintain our most sensitive records. In Massachusetts, most people don't even know this law exists.

It's not just the NSA. When it comes to our most sensitive metadata, state and local prosecutors can often obtain our most private information–no warrant, judicial oversight, or evidence required.

© 2016 ACLU of Massachusetts.