Privacy SOS

“Gagged, sealed and delivered”: ECPA’s secret surveillance regime

Please note that by playing this clip YouTube and Google will place a long term cookie on your computer.

Federal magistrates aren't usually known for their activism outside the courtroom, but US Magistrate Judge Stephen Smith has broken the mold, releasing a paper, "Gagged, Sealed and Delivered," examining surveillance orders granted under the Electronic Communications Privacy Act (ECPA), passed in 1986. What he found should shock Congress into action.

At the end of his exhaustive study, limited only by the secretive nature the ECPA system, Smith concludes that it's "reasonable to infer that far more law-abiding citizens than criminals have been tracked" under the statute, many of whom will never know the government spied on their digital lives. He approximates that 30,000 secret electronic surveillance orders are approved each year, many of them never disclosed to the targets because of the ECPA's "gag, seal and blindfold" provisions.

These are no ordinary warrants, however. Ars Technica breaks down how these "warrant-like" requests differ from a traditional warrant, for example those deployed when police come to arrest you or seize your computer:

Digital "warrant-like" requests to access stored e-mail in an online account, or to wiretap an Internet connection, or to obtain "pen register" information, or to track a cell phone, are obtained from magistrate judges, many times in secret dockets that don't even appear in the federal government's official PACER document system. They come after one-sided ("ex parte") proceedings in which only the government is heard. And they are generally sealed, only to be unsealed once a criminal case is filed. If no such charges are ever brought, the search warrants and the affidavits defending them can remain buried in the murkiest bits of the federal court system; even knowing that they exist can be a challenge. ISPs, which are often targets of such orders, may also be forbidden from disclosing them.

Smith couldn't precisely discern how many secret surveillance orders have been authorized by magistrates since ECPA was signed into law twenty-five years ago. But his experience as a magistrate and detailed research led him to believe that judges were approving too many orders, and that Congress had granted the bench too broad authority to determine whether the secret surveillance orders would ever come to light.

Congress faces a formidable task in deciding which substantive reforms to the ECPA are necessary to keep up with new technology and to strike the appropriate balance between privacy and security for the new century. Equally important are the structural reforms needed to ensure that, going forward, Congress and the judiciary will be able to monitor and maintain the new line between privacy and law enforcement, wherever that line is drawn. That will require the elimination of ECPA’s current gag, seal, and blindfold.

Under current law, in most cases it's up to the magistrate to decide whether or not the government must disclose the existence of a surveillance order to the target, even long after the actual surveillance took place. So in effect, thousands of secret surveillance orders are kept secret forever; Smith doesn't think this is good policy, or serves any justifiable purpose.

Apart from the gag, seal and blindfold secrecy provisions, Smith writes, magistrates and judges have not taken ECPA's obsolescence to task. Many have simply been signing off on orders without looking closely at the underlying statute. After all, quite a bit has changed technologically since 1986; surely the law must change, too? A perfect example of this problem is mobile phone tracking. Smith:

Until 2010, no appellate court had ever addressed the legal standard applicable to cell phone-tracking orders, even though magistrate judges were issuing tens of thousands of such orders every year without appellate guidance. One federal circuit court finally considered the issue in that year, but its decision raised as many questions as it answered.

And what about email? 

The first (and to date the only) appellate case reaching the constitutionality of ECPA provisions on government access to emails was finally decided in 2010, and was commenced only after a magistrate judge unsealed the underlying ECPA orders.

But why? Why has there been so little challenge to the application of decades old rules to cutting edge technologies? From the magistrate's perspective, taking the path of least resistance is a likely culprit. After all, it's easier to simply go along.

What about we ordinary people, potential targets of these secret orders? Can we challenge them? Here secrecy strikes again: if people don't know they are being watched, how can they fight back in court?

There is no real mystery to this unusual state of affairs. Appellate review cannot happen unless one of the parties has both the opportunity and the incentive to appeal. But when it comes to electronic surveillance orders, the poet’s maxim prevails: “In this world, who can do a thing, will not / And who would do it, cannot, I perceive.” To see this, consider the strategic perspective of the three parties who might be aggrieved by an adverse ruling on an electronic surveillance application—the targeted individual, the provider, and the government.

In other words, the only party that's likely to challenge the issuance of an ECPA surveillance order is precisely the person who doesn't know about it: the target.

For example, say the government sends Comcast an ECPA order for your emails. Under current rules, the government could easily bar the company from disclosing the existence of the order to you, the target, and so if you are never charged with a crime you might never know the government was reading your emails. How, then, would you have any chance to appeal the order? You wouldn't.

In this context, two things become increasingly important. The first is that Congress needs to reform and update ECPA, to provide for greater transparency about the number of orders authorized each year, and make stricter rules barring magistrates from effectively sealing proceedings forever. The second is that the Stored Communications Act needs to be updated so that when the government asks for your content held by Google, you — not just Google — have a right to defend it in court.

After all, only Twitter has stepped up to the plate to defend its users from free government access to its client's data. We can't rely on the goodwill of corporations or of magistrate judges. We need to change the law.

Again, Smith:

Perfect transparency in criminal investigations is neither practical nor desirable, but ECPA’s present system of gagging and sealing is surely overkill. If my diagnosis—that ECPA’s regime of secrecy has choked off the oxygen of appellate review necessary for a healthy regulatory scheme—is correct, then the cure is relatively straightforward: open up the information arteries. Greater transparency would enable meaningful oversight not only by appellate courts but also by Congress and the general public.

Congress should take note of Smith's recommendations and change ECPA thusly:

(a) notifying targets and affected individuals, (b) opening court files to the public, and (c) gathering better surveillance data for Congress.

It's past time to update ECPA. Click here for more information and to learn about how you can get involved.

© 2018 ACLU of Massachusetts.