Monitoring of E-mail and Web Usage

By Government and Law Enforcement Officials
Another concern is the extent to which electronic mail (e-mail) exchanges or visits to websites may be monitored by law enforcement agencies or employers. In the wake of the September 11 terrorist attacks, the debate over law enforcement monitoring has intensified. Previously, the issue had focused on the extent to which the Federal Bureau of Investigation (FBI), with legal authorization, used a software program, called Carnivore (later renamed DCS 1000), to intercept e-mail and monitor Web activities of certain suspects. The FBI would install the software on the equipment of Internet Service Providers (ISPs). Privacy advocates were concerned about whether Carnivore-like systems can differentiate between e-mail and Internet usage by a subject of an investigation and similar usage by other people. Technical details of the system were not publicly available, meaning that privacy groups were unable to independently determine exactly what the system could or could not do, leading to their concerns. Section 305 of the 21st Century Department of Justice Appropriations Authorization Act (P.L. 107-273) required the Justice Department to report to Congress at the end of FY2002 and FY2003 on its use of Carnivore/DCS 1000 or any similar system. EPIC obtained the reports in January 2005 under the Freedom of Information Act and placed them on its website.9 The reports indicate that the Justice Department no longer uses Carnivore/DCS 1000, using commercially available software instead. The Justice Department reported that it used commercial software to conduct court-ordered electronic surveillance five times in FY2002 and eight times in FY2003.

The USA PATRIOT Act. Following the terrorist attacks, Congress passed the Uniting and Strengthening America by Providing Appropriate Tools to Intercept and Obstruct Terrorism (USA PATRIOT) Act, P.L. 107-56, which expands law enforcement’s ability to monitor Internet activities. Inter alia, the law modifies the definitions of “pen registers” and “trap and trace devices” to include devices that monitor addressing and routing information for Internet communications. Carnivore-like programs may now fit within the new definitions. The Internet privacy-related provisions of the USA PATRIOT Act, included as part of Title II, are as follows:

- Section 210, which expands the scope of subpoenas for records of electronic communications to include records commonly associated with Internet usage, such as session times and duration.

- Section 212, which allows ISPs to divulge records or other information (but not the contents of communications) pertaining to a subscriber if they believe there is immediate danger of death or serious physical injury or as otherwise authorized, and requires them to divulge such records or information (excluding contents of communications) to a governmental entity under certain conditions. It also allows an ISP to divulge the contents of communications to a law enforcement agency if it reasonably believes that an emergency involving immediate danger of death or serious physical injury requires disclosure of the information without delay. This section was amended by the Cyber Security Enhancement Act — see below.

- Section 216, which adds routing and addressing information (used in Internet communications) to dialing information, expanding what information a government agency may capture using pen registers and trap and trace devices as authorized by a court order, while excluding the content of any wire or electronic communications. The section also requires law enforcement officials to keep certain records when they use their own pen registers or trap and trace devices and to provide those records to the court that issued the order within 30 days of expiration of the order. To the extent that Carnivore-like systems fall with the new definition of pen registers or trap and trace devices provided in the act, that language would increase judicial oversight of the use of such systems.

- Section 217, which allows a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, through, or from a protected computer under certain circumstances, and

- Section 224, which sets a four-year sunset period for many of the Title II provisions. Sections 210 and 216 are excluded from the sunset. Sections 212 and 217 are not, and therefore will expire on December 31, 2005. As discussed below, Congress is considering legislation that would amend this sunset clause, making either more or fewer sections subject to it.

The Cyber Security Enhancement Act, section 225 of the 2002 Homeland Security Act (P.L. 107-296), amends section 212 of the USA PATRIOT Act. It lowers the threshold for when ISPs may voluntarily divulge the content of communications. Now ISPs need only a “good faith” (instead of a “reasonable”) belief that there is an emergency involving danger (instead of “immediate” danger) of death or serious physical injury. The contents can be disclosed to “a Federal, state, or local governmental entity” (instead of a “law enforcement agency”).

Privacy advocates are especially concerned about the language added by the Cyber Security Enhancement Act. EPIC notes, for example, that allowing the contents of Internet communications to be disclosed voluntarily to any governmental entity not only poses increased risk to personal privacy, but also is a poor security strategy. Another concern is that the law does not provide for judicial oversight of the use of these procedures.10 A Senate Judiciary Committee hearing on September 23, 2004 explored some of these concerns.

Several House and Senate committees held hearings in the first session of the 109th Congress on various provisions of the USA PATRIOT Act, and more are expected in the second session, as Congress debates whether to extend the “sunset date,” or expiration date, of several provisions of that act. Under Section 224, a number of sections would have expired on December 31, 2005, including Section 212 and 217. Section 210 and Section 216 are not subject to the sunset clause (i.e., they are permanent).

Several bills were introduced to modify the sunset clause by making temporary provisions permanent, by making permanent provisions temporary, or by modifying reporting requirements or otherwise enhancing oversight of how the provisions are implemented. As December 31, 2005 approached, the issue became very contentious. The House passed a permanent extension (i.e., it repealed the sunset clause) in H.R. 3199. The Senate, however, passed only a six-month extension (S. 2167) to allow time for further consideration of concerns by some Senators that more civil liberties protections are needed. The House did not agree with the Senate action, and amended S. 2167 so that the extension was only for five weeks (through February 3, 2006) to ensure that the Congress dealt with the issue early in the second session. Debate may be influenced by revelations in December 2005 that President George W. Bush directed the National Security Agency to monitor phone calls and e-mails in the United States without warrants. (For further information on the debate over warrantless searches, see the CRS general distribution memorandum at this CRS website: [http://www.crs.gov/products/browse/documents/WD00002.pdf].

The 9/11 Commission Report, and Creation of the Privacy and Civil Liberties Oversight Board. On July 22, 2004, the “9/11 Commission” released its report on the terrorist attacks.11 The Commission concluded (pp. 394-395) that many of the USA PATRIOT Act provisions appear beneficial, but that “Because of concerns regarding the shifting balance of power to the government, we think that a full and informed debate on the Patriot Act would be healthy.” The Commission recommended that “The burden of proof for retaining a particular governmental power should be on the executive, to explain (a) that the power actually materially enhances security and (b) that there is adequate supervision of the executive’s use of the powers to ensure protection of civil liberties. If the power is granted, there must be adequate guidelines and oversight to properly confine its use.” The Commission also called for creation of a board within the executive branch “to oversee adherence to the guidelines we recommend and the commitment the government makes to defend our civil liberties.” The commissioners went on to say that “We must find ways of reconciling security with liberty, since the success of one helps protect the other. The choice between security and liberty is a false choice, as nothing is more likely to endanger America’s liberties than the success of a terrorist attack at home. Our history has shown us that insecurity threatens liberty. Yet, if our liberties are curtailed, we lose the values that we are struggling to defend.”

The 108th Congress passed legislation implementing many of the Commission’s recommendations. Called the Intelligence Reform and Terrorism Prevention Act (S. 2845, P.L. 108-458), Section 1061 creates a Privacy and Civil Liberties Oversight Board as part of the Executive Office of the President. According to the bill’s sponsor, Senator Collins, the Board’s purpose is to “ensure that privacy and civil liberties concerns are appropriately considered in the implementation of all laws, regulations, and policies that are related to efforts to protect the Nation against terrorism.”12 It must report to Congress annually on an unclassified basis to the greatest extent possible. It will be composed of five members, two of which (the chairman and vice-chairman) must be confirmed by the Senate. All must come from outside the government to help ensure their independence.

National Journal reported on January 13, 2006 that although the five members of the Board have been appointed, the chairman and vice chairman have not yet been confirmed by the Senate.13 An August 2005 Reuters report cited critics (including a former 9/11 Commissioner, Members of the House and Senate, and others) as concluding that the panel is a “toothless, underfunded shell with inadequate support” from the President.14

H.R. 1310 (Maloney) was introduced in the first session of the 109th Congress to make a number of changes, including establishing the Board as an independent agency in the executive branch, instead of part of the Executive Office of the President; setting out certain qualifications for Board members; and requiring that all of the Board members be confirmed by the Senate, not just the chairman and vice-chairman. There was no legislative action on the bill during the first session. As with debate over the USA PATRIOT Act, this discussion may be influenced by the controversy over warrantless searches (see above).

Government Access to Search Engine Data (e.g. Google). In January 2006, Internet search engine company Google indicated that it was resisting a Justice Department subpoena requiring the company to provide the government with data on searches made by users.15 The Justice Department reportedly is seeking the data to help it in a court case to uphold the Child Online Protection Act (COPA), which was enacted to protect children using the Internet from objectionable material such as pornography.16 According to various media reports, other search engine companies, including Yahoo!, MSN, and America Online, did comply with the government’s request. Although much of the publicity focused on the extent to which the privacy of Internet users would be undermined if the government could access such data, some observers pointed out that the data are anonymous, and Google’s response might be stimulated more by business concerns (e.g., revealing proprietary information) than privacy concerns.17 Nevertheless, public response suggests that some consumers now worry about what search terms they use, lest the government track their activities and draw erroneous conclusions.18

By Employers
There also is concern about the extent to which employers monitor the e-mail and other computer activities of employees. The public policy concern appears to be not whether companies should be able to monitor activity, but whether they should notify their employees of that monitoring. A 2005 survey of 526 companies by the American Management Association and the ePolicy Institute found that 76% monitor Web usage, and 55% retain and review e-mail messages.19 The survey found that 26% of the companies had fired employees for misusing the Internet, and 25% had fired workers for e-mail misuse. Regarding notice, the survey reported that 80% of the companies inform workers that they are monitoring content, keystrokes, and time spent at the keyboard; 82% inform workers that computer files are stored and reviewed; 86% inform workers that e-mail is monitored; and 89% inform workers that Web usage is tracked. One criticism is that top level employees may not be subject to the same monitoring as rank and file workers.20

By E-Mail Service Providers: The “Councilman Case”
In what is widely-regarded as a landmark ruling concerning Internet privacy, the U.S. Court of Appeals for the First Circuit in Massachusetts ruled (2-1) on June 29, 2004 that an e-mail service provider did not violate federal wiretapping statutes when it intercepted and read subscribers’ e-mails to obtain a competitive business advantage. The ruling upheld the decision of a lower court to dismiss the case.

The case involved an e-mail service provider, Interloc, Inc., that sold out-of-print books. According to press accounts21 and the text of the court’s ruling,22 Interloc used software code to intercept and copy e-mail messages sent to its subscribers (who were dealers looking for buyers of rare and out-of-print books) by competitor Amazon.com. The e-mail was intercepted and copied prior to its delivery to the recipient so that Interloc officials could read the e-mails and obtain a competitive advantage over Amazon.com. Interloc Vice President Bradford Councilman was charged with violating the Wiretap Act.23 The court’s majority opinion noted that the parties stipulated that, at all times that the Interloc software was performing operations on the e-mails, they existed in the random access memory or in hard drives within Interloc’s computer system.

The case turned on the distinction between the e-mail being in transit, or in storage (and therefore governed by a different law24). The government argued that the e-mails were copied contemporaneously with their transmission, and therefore were intercepted under the meaning of the Wiretap Act. Judges Torruella and Cyr concluded, however, that they were in temporary storage in Interloc’s computer system, and therefore were not subject to the provisions of the Wiretap Act. They further stated that “We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communication. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology.... However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly.” (p. 14-15). In his dissent, Judge Lipez stated, conversely, that he did not believe Congress intended for e-mail that is temporarily stored as part of the transmission process to have less privacy than messages as they are in transit. He agreed with the government’s contention that an “intercept” occurs between the time the author hits the “send” button and the message arrives in the recipient’s in-box. He concluded that “Councilman’s approach to the Wiretap Act would undo decades of practice and precedent ... and would essentially render the act irrelevant.... Since I find it inconceivable that Congress could have intended such a result merely by omitting the term ‘electronic storage’ from its definition of ‘electronic communication,’ I respectfully dissent.”25

Privacy advocates expressed deep concern about the ruling. Electronic Frontier Foundation (EFF) attorney Kevin Bankston stated that the court had “effectively given Internet communications providers free rein to invade the privacy of their users for any reason and at any time.”26 The five major ISPs (AOL, Earthlink, Microsoft, Comcast, and Yahoo) all reportedly have policies governing their terms of service that state that they do not read subscribers’ e-mail or disclose personal information unless required to do so by law enforcement agencies.27 The U.S. Department of Justice appealed the court’s decision; and several civil liberties filed a “friend of the court” brief in support of the government’s appeal. In August 2005, the First Circuit Court of Appeals overturned the lower court’s decision 5-2.28

Two bills were introduced in the 108th Congress that would have affected this debate by amending either the Wiretap Act or the Stored Communications Act. There was no action on either bill.

In the first session of the 109th Congress, H.R. 3503/S. 936 were introduced to amend the Wiretap Act to clarify that it applies “contemporaneous with transit, or on an ongoing basis during transit, through the use of any electronic, mechanical, or other device or process, notwithstanding that the communication may simultaneously be in electronic storage.” There was no action on the bills in 2005.

Endnotes

9 See [http://www.epic.org/privacy/carnivore/2002_report.pdf], and [http://www.epic.org/privacy/carnivore/2003_report.pdf].

10 [http://www.epic.org/alert/EPIC_Alert_9.23.html]. See entry under “[3] Homeland Security Bill Limits Open Government, and click on hyperlink to EPIC’s February 26, 2002 letter to the House Judiciary Committee.

11 National Commission on Terrorist Attacks Upon the United States. The 9/11 Commission Report. 585 p. [http://www.9-11commission.gov/report/911Report.pdf].

12 Congressional Record, December 8, 2004, p. S11974.

13 Friel, Brian. Civil Liberties Board Has Yet To Get Off the Ground. National Journal, January 13, 2006. Available on the govexec.com website at [http://www.govexec.com/story_page.cfm?articleid=33176&dcn=todaysnews]

14 Drees, Caroline. “U.S. Civil Liberties Board Struggles Into Existence.” Reuters, August 4, 2005, 12:33 (via Factiva).

15 Delaney, Kevin. Google to Buck U.S. on Data Request — Firm Resists Agency’s Efforts to Obtain Scaled-Back List of Web Sites, Search Queries. Wall Street Journal, January 20, 2006, p. A3 (via Factiva).

16 For a discussion of COPA, see CRS Report RS21328, Internet: Status of Legislative
Attempts to Protect Children from Unsuitable Material on the Web, by Marcia S. Smith.

17 Liptak, Adam. In Case About Google’s Secrets, Yours Are Safe. New York Times,
January 26, 2006, p. 1 (via Factiva).

18 Hafner, Katie. After Subpoenas, Internet Searches Give Some Pause. New York Times,
January 25, 2006, p. 1 (via Factiva).

19 American Management Association. “2005 Electronic Monitoring & Surveillance
Survey.” Press Release, May 18, 2005. [http://www.amanet.org/press/amanews/ems05.htm].

20 Sandberg, Jared. “Monitoring of Workers is Boss’s Right But Why Not Include Top
Brass?,” Wall Street Journal, May 18, 2005, p. B1 (via Factiva).

21 (1) Jewell, Mark. “Interception of E-Mail Raises Questions.” Associated Press, June 30, 2004, 9:14 pm. (2) Zetter, Kim. “E-Mail Snooping Ruled Permissible.” Wired News, June 30, 2004, 08:40. (3) Krim, Jonathan. “Court Limits Privacy of E-Mail Messages; Providers Free to Monitor Communications.” Washington Post, July 1, 2004, E1 (via Factiva).

22 U.S. v. Bradford C. Councilman. U.S. Court of Appeals for the First Circuit. No. 03-1383. [http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf].

23 The Wiretap Act,18 U.S.C. §§ 2510-2522, is Title I of the Electronic Communications Privacy Act (ECPA), P.L. 99-508. According to Jewell, op. cit., two other defendants — Alibris, which bought Interloc in 1998, and Interloc’s systems administrator — pleaded guilty.

24 Stored communications are covered by the Stored Communications Act, which is Title II of ECPA, 18 U.S.C. §§ 2701-2711.

25 U.S. v. Bradford C. Councilman, p. 53.

26 Online Privacy “Eviscerated” by First Circuit Decision. June 29, 2004. [http://www.eff.org/news/archives/2004_06.php#001658].

27 Krim, op. cit.

28 McCullagh, Declan. “E-mail Wiretap Case Can Proceed, Court Says.” c|net News.com,
August 11, 2005, 14:30:00 PDT.