Before trading in the park bench for a Gmail account, journalists must decide if technology companies’ terms of service are enough to protect their sources from government surveillance.
Online service providers Apple, Dropbox, Facebook, Google, Microsoft, Twitter, WordPress.com and Yahoo include policies in their terms of service that require the government to obtain a warrant for content and that promise to notify users if the government requests their information.
Since 2011, the Electronic Frontier Foundation (EFF) has evaluated online service providers based on privacy and transparency policies concerning government request for data. The 2014 edition of “Who Has Your Back” shows that technology companies are working harder to protect user privacy rights.
EFF Staff Attorney Nick Cardozo, who co-authored the report, says significant improvements in industry standards since 2013 are a reaction to Edward Snowden’s NSA disclosures.
The providers who require a warrant and notify users about demands also publish transparency reports and law enforcement guidelines and defend users’ privacy rights in Congress, according to the report. Additionally, all but WordPress defend those user privacy rights in the courts.
According to Cardozo, now these companies include a “binding promise” in their terms of service to alert users to data requests with the exception of gag orders and emergency situations marked by exigent circumstances.
Despite their increasing compliance with user protection policies, none of these online service providers distinguish between journalists and any other subscriber.
“They’re starting to treat everybody in a fairly uniform way, partly because I doubt they are able to identify who’s a journalist and who’s not,” said Lucy Dalglish, dean of the University of Maryland’s journalism school and former director of the Reporters Committee for Freedom of the Press. “The public has spoken and these companies have decided it’s good business to listen to them.”
“We treat everyone as if they were the New York Times,” according to Paul Sieminski, the general counsel for Automattic, Inc., which owns and operates WordPress.com. “We have the same rules for everyone.”
“I think anybody that’s writing and publishing on the internet, which we make easy for anyone to do, is a journalist or has a potential to be one,” Sieminski added. “I would say all of our info requests are for journalists in some way.”
But according to Dalglish, “These companies are not doing this because they want to help confidential sources. For them, they’re doing this because it’s better business practice. They’re going to fight but they’re not legally bound to.”
While that’s not inherently problematic, Dalglish said it does foretell how far they will go to defend user rights.
“After they exhaust the first legal processes they tell you they can do, is someone at Google going to go to jail? No, they’re not.”
The government’s habit of exercising alternative methods to the warrant — methods that carry some of the same weight as a warrant without the probable cause or judicial oversight — also raise important concerns.
National Security Letters, issued and overseen by the FBI, are one method of sidestepping these terms. NSLs cannot be used to request actual content, but they do grant law enforcement agents access to communication records.
“No judge has to sign off on them and they come with a gag order that the FBI can impose unilaterally,” said Cardozo. “We’re challenging the constitutionality of this.”
On October 8, the EFF argued Under Seal v. Eric Holder before the U.S. Court of Appeals for the Ninth Circuit. EFF is fighting to uphold a district court’s ruling that the Patriot Acts’ NSL provisions are unconstitutional. Cardozo said they expect a ruling sometime this spring.
According to Cardozo, Google is also fighting at least one but potentially multiple NSLs it had received.
“This case is not technically public, but there was a slip up and the filing docket was temporarily made public by mistake,” said Cardozo. The files were posted on the Internet but taken down when the parties were notified. “Google is gagged so they’re not allowed to say anything.”
Google isn’t the only service provider engaged in negotiations. In 2007, Yahoo fought an order for records from the FISA court.
“Yahoo did as much as they could’ve done. They couldn’t even talk about it until this year,” Cardozo said. “We gave them separate credit [in the report] for that fight because it was one they fought in secret; they couldn’t even take credit for it.”
Apple, Dropbox, Facebook, Google, Microsoft, Twitter, WordPress.com and Yahoo will only honor information requests that are legally binding. But legally binding requests for subscriber business records do not always come with a warrant based on probable cause. Under the Stored Communications Act, governmental entities can request a court order for customer information based on “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.” An order under this provision may be accompanied by a delayed notice provision barring the recipient from notifying the user of the request.
When they are served with a subpoena or search warrant for subscriber information, these companies will usually notify the law enforcement agent that they plan to inform the user, said Cardozo.
The result is one of three scenarios: law enforcement will agree, withdraw the request or withdraw it and immediately resubmit one that includes a gag order.
“In our view, that’s exactly how it should be,” said Cardozo. “That’s the system functioning properly from our perspective.
The government can also invoke the so-called “third-party doctrine” to retrieve information that would otherwise require a warrant. The principle that information that has been disclosed to third parties like telephone companies was recognized by the Supreme Court in Smith v. Maryland, which upheld a lower court’s ruling that a phone company’s use of a pen register to apprehend a robbery suspect did not constitute an illegal search.
According to Cardozo, the government has stretched its application to equivocate that any data shared with a third party has no expectation of privacy, the legal justification for NSA tracking.
“We’re starting to see courts pushing back on that,” said Cardozo, who explained that the Sixth Circuit case, United States v. Warshak, ruled that “because there is a fourth amendment expectation of privacy, it does require a warrant to get email in all cases.”
End-to-end encryption may be a solution to government surveillance that would ease the burden on the Internet service provider. In end-to-end encryption, the content itself is encrypted—even to the company providing that communication.
“iMessage is a great example,” said Cardozo. “If you’re using iMessage from iPhone to iPhone, Apple cannot access the information from those messages, even if law enforcement comes with a warrant.”
And the same is true for FaceTime. But Apple is one of the few providers to offer such a service.
“Google is working on it. They’re not quite there, but they’re working on it,” said Cardozo, who explained that Apple is ahead of the pack because they control the software, the device and the servers. “They have complete control of the whole ecosystem.”
But Apple’s encryption has its own caveats. Cardozo said it would take the government at most about two weeks — and probably significantly less time — to access the content. Law enforcement can avoid cracking the encryption code altogether by focusing their efforts on identifying the iPhone owner’s four-digit passcode.
So while the only guaranteed solution to avoid having a service provider turn over records is not to entrust sensitive records to an outside source at all, there is progress in maintaining the confidentiality of reporters’ work product held by these providers.