NSA Surveillance: Having a Laugh at the Expense of Your Privacy

ABC News reports about a new scandal arising out of the NSA Surveillance Program:

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.

According to one of the intercept operators, "US military officers, American journalists and American aid workers were routinely intercepted and "collected on" as they called their offices or homes in the United States." Another intercept operator independently confirmed what the first one had reported.

Not only did they listen in on private conversations, with no connection to terrorism, but they also shared calls that they deemed interesting or funny:

Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.

"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.

Faulk said he joined in to listen, and talk about it during breaks in Back Hall's "smoke pit," but ended up feeling badly about his actions. . . .

In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted.

"It's not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it," Gen. Hayden testified.

More from the ABC story here.

I'm not surprised by this story. It is a common problem with government surveillance to reach beyond its limits, and for surveillance officials to disseminate information they find humorous or entertaining. For example, it has happened with CCTV in the UK. Hopefully, next year's Congress will do a thorough investigation.

Posted by Daniel J. Solove at 10:20 AM | Comments (0) | TrackBack

Big Breaks in the Palin E-mail Breach Investigation

The odds that the Feds will find the person who broke into Sarah Palin's e-mail account are considerably better than I had thought they would have been, because someone who claims to have committed the crime has bragged about it to the infamous 4chan image hosting site. (Quick CoOp aside, every day I better appreciate how the paper by new permablogger Danielle Citron--who first introduced me to 4chan--on Cyber Civil Rights will be a must-read in this day of 4chan and Jason Fortuny.) Although the posts have been deleted, Kim Zetter has reproduced them for Wired's Threat Level blog. First, the user known as "Rubico" bragged about how he had breached the Yahoo account by providing Governor Palin's supposedly private answers to the questions posed by Yahoo's password recovery scheme:

it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Oh, and about Rubico's screenshots? They apparently reveal the URL bar of Rubico's browser, which in turn reveals that Rubico had not been browsing Yahoo directly but had instead been using an anonymizing proxy service called Ctunnel. Good idea, right?, because Yahoo no doubt captures and preserves the IP addresses used to recover passwords. But although using Ctunnel may have been a good idea, advertising that fact on a screenshot, it turns out, was not:

Gabriel Ramuglia who operates Ctunnel, the internet anonymizing service the hacker used to post the information from Palin's account to the 4chan forum, told Threat Level this morning that the FBI had contacted him yesterday to obtain his traffic logs. Ramuglia said he had about 80 gigabytes of logs to process and hadn't yet looked for the information the FBI was seeking but planned to be in touch with the agents today.

Apparently, providing the screenshot in this case was a particularly dumb move. In another interview Ramuglia notes:

Usually, this sort of thing would be hard to track down because it's Yahoo email, and a lot of people use my service for that . . . . Since they were dumb enough to post a full screenshot that showed most of the [Ctunnel.com] URL, I should be able to find that in my log.

There are more lessons here than are worth listing. A few, after the jump:

For law enforcement:

• The pressure is on. Usually, you would be forgiven for failing to track a crime across the Internet, but if Rubico is the person behind the breach (and I bet you know already whether Rubico's claims match up with information in Yahoo's logs), you should be able to find the identity of Rubico in pretty short order. Many news outlets are now reporting that Rubico is a 20-year old college student in Tennessee whose father is a Democratic state representative.

For would-be Internet criminals:

• Don't brag about your crimes.
• If you're going to brag, brag only to people you know.
• If you're going to brag, don't post screenshots that give away important clues which make it easier to track you!
• Use more than one anonymizing proxy.

For webmail providers:

• As I said last time, people will be scrutinizing your security closely. After discussing Rubico's boasts, Ed Felten has concluded that although it is hard for a service to simultaenously give away accounts to any anonymous person who requests one while still maintaining robust password recovery mechanisms, "it's still surprising that Yahoo's recovery scheme was so weak."

For Gabriel Ramuglia, the person who runs Ctunnel.

• Expect a mixed reaction. On the one hand, many will celebrate your data retention policies for helping the feds get one big step closer to solving this case. On the other hand, other people will consider it a betrayal that you held yourself out as an anonymizing service yet stored this information at all. You don't endear yourself in the eyes of the latter group by moralizing about how people shouldn't be using your service to "conduct illegal activities."

For lawmakers:

• What I said last time. (For examples of people pointing out gaps in the law, see this and this. Oh, and Bill O'Reilly is pissed too.)

For the media:

• Be careful how you report this case. As best as I can tell, the 20-year old who is now having his name dragged through the mud has been linked to the Rubico posts through a series of connections being unearthed by bloggers. Reporters in the MSM seem to be repeating the conclusions of these bloggers without a lot of independent investigation. This guy may, for all I know, be rubico, but I have yet to read a single article that lays out a case airtight enough to justify such widespread dissemintation of the rumor.

Posted by Paul Ohm at 11:01 PM | Comments (2) | TrackBack

The Inability to Opt Out of DPI (or Why the Marketplace Cannot Cure Paul's Worries)

Some might respond to Paul's Ohm's terrific article, The Rise and Fall of Invasive ISP Surveillance, by suggesting, as network providers do, that the marketplace will sort out our privacy concerns about Deep Packet Inspection practices because consumers can opt out of DPI tracking of their online life with a single click. Optimism about a proper functioning marketplace, however, is misplaced for several reasons. First, as Arstechnica reports, network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy. Thus, a basic information asymmetry problem arises—consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Second, even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And, third, as Dr. David Reed testified before the Subcommittee on Telecommunications and the Internet, even if some network providers switch to an opt-in approach or reject DPI entirely, consumers cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory. Thus, the privacy concerns that Paul raises likely are not self-correcting.

Posted by Danielle Citron at 01:54 PM | Comments (3) | TrackBack

The Greatest Threat to Privacy Part II: Why I Worry More About ISPs Than Google

In a prior post, I began to explain why ISPs pose the greatest threat to privacy in modern life. I argued that many ISPs are likely to begin to experiment with new, more invasive forms of surveillance relying, in part, on so-called Deep-Packet Inspection technology. I am grateful for the vigorous debate which followed in the comments, and I know my article will be much stronger once I incorporate what I have learned reading and responding to these comments.

The last post led only to the conclusion that ISPs pose a great threat to privacy, but to call this the greatest threat in society, I need to answer the question, "compared to what?" In particular, the most common response to my article I have heard is, "Doesn't Google threaten privacy more?" In this post, let me explain why I worry more about the threat to privacy from ISPs than from Google.

You can hide from Google but it is very hard to hide from your ISP. Even though Google collects a lot of information about what its users do when they use its services, it cannot track what it cannot see. Whenever you leave a Google-owned or affiliated website, Google loses track of you. As you surf the New York Times, Yahoo!, Facebook, Amazon, Craigslist, or eBay, Google has no way of knowing what are you doing. When you communicate via VoIP or download files over BitTorrent, Google has no way of monitoring you.

Your ISP, in contrast, never loses sight of you (unless you encrypt your communications or switch to another provider). In a recent radio interview, I called this a "Godlike" view of the network. As a commenter to a New York Times blog post about my article put it, "Deep Packet Inspection is Adware or Spyware ON YOUR NETWORK."

More directly to the comparative point, your ISP can see nearly everything you do through Google. Virtually no Google service uses encryption by default. Your ISP, if it chooses to watch, can see and record every Google search query, Google Calendar entry, YouTube video stream, and Google Reader request. For this reason, the threat to privacy from Google is merely a subset of the threat from your ISP, assuming of course that your ISP is watching.

This last caveat is the one that frustrates some readers. Sure, the potential threat to an ISP-gone-bad is dire, they might concede, but no ISP is actually collecting this much information. Most ISPs are respectful of user privacy, they would argue, and possess the self-control to refuse to watch most of what their users are doing.

But as I said in the last post, even if no ISPs are collecting this much information today, I predict that they will in the near future thanks to the means, motive, and opportunity at their disposal. A few commenters have rightly pushed me on ISP motive: what proof do I have that ISPs are feeling pressure to collect more information? First, Charter, AT&T, several British ISPs, and others have proposed or implemented new monitoring schemes in the past year. Second, for many years, ISPs have persistently complained about their dire financial prospects, arguing that they cannot afford to upgrade their infrastructure without new strategies for better return on investment (ROI). I know of few other plausible ways for ISPs to improve ROI, except by monetizing user secrets.

I plan to write at least one more post on this topic, but for now, let me turn it back over to the commenters. Please remember that this is a very brief synopsis of a 77 page, 34,000+ word draft, and I urge you to at least skim the article before you respond...

Posted by Paul Ohm at 01:14 PM | Comments (5) | TrackBack

The Greatest Threat to Privacy: The Internet Service Provider

I have recently posted on SSRN the article that ate my summer, The Rise and Fall of Invasive ISP Surveillance. I make many claims in this article, but the principal one, and the one I want to spend a few posts elaborating and defending, is found in the first sentence of the abstract: "Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP)." In this first post, let me explain why ISPs pose an enormous threat to privacy:

Simply put, your ISP has the means, motive, and opportunity to scrutinize nearly every communication departing from and arriving to your Internet-connected computer:

Opportunity: Because your ISP serves as the gateway between your computer and the rest of the Internet, every e-mail message, IM, and tweet you send and receive; every web page and p2p-traded file you download; and every VoIP call you place travels first through your ISP's routers.

Means: A decade ago, your ISP lacked the tools to efficiently analyze every communication crossing its network, because computers were relatively slow and networks were relatively fast. I use the analogy of the policeman on the side of the road, scrutinizing the passing cars. If the policeman is slow and the road is wide and full of speeding cars, the policeman won't be able to keep up.

Over the past decade, while network bandwidth has increased, computer processing power has increased at a faster rate, and your ISP can now analyze more information, more inexpensively than before. The roads are wider today, but the policemen are smarter and more efficient. An entire industry--the deep-packet inspection industry--has arisen to provide hardware and software tools for massive, widespread, automated surveillance.

Motive: Third-parties are placing pressure on ISPs to spy on users in unprecedented ways. Advertisers are willing to pay higher rates for behavioral advertising. For example, Ikea will pay more to place an ad in front of people who have been recently surfing furniture websites. To enable behavioral advertising, companies like NebuAd and Phorm have been trying to convince ISPs to collect user web-surfing data they do not collect today. Similarly, the copyrighted content industries seem willing to pay ISPs to detect, report, and possibly block the transfer of copyrighted works.

Because of these three factors, ISPs are scrutinizing more information--and different forms of information--than they ever have before. AT&T has begun to consider monitoring for copyright violations; Charter Communications signed up with NebuAd, sparking a firestorm of publicity and legislative interest which pushed Charter to abandon the deal; and a few British ISPs have begun to use Phorm's services. I predict that these examples presage a coming storm of unprecedented, invasive ISP monitoring.

In the next post, I will compare the threat to privacy from ISP monitoring to the threat from other entities, in particular, Google and Microsoft.

Posted by Paul Ohm at 01:29 PM | Comments (46) | TrackBack

The End of Privacy?

I've written an article for the September issue of Scientific American magazine called The End of Privacy? The article is available online here, with a slightly different title: Do Social Networks Bring the End of Privacy?.

The entire issue is devoted to privacy, and there are some other really interesting articles. Here are links to the other articles in the issue:

Whitfield Diffie and Susan Landau, Internet Eavesdropping: A Brave New World of Wiretapping

Steven Ashley, Digital Surveillance: Tools of the Spy Trade

Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People

Anil K. Jain and Sharath Pankanti, Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?

Mark A. Rothstein, Tougher Laws Needed to Protect Your Genetic Privacy

Simson L. Garfinkel, Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles

Peter Brown, Privacy in an Age of Terabytes and Terror

Esther Dyson, How Loss of Privacy May Mean Loss of Security

Anna Lysyanskaya, Cryptography: How to Keep Your Secrets Safe

Posted by Daniel J. Solove at 12:03 AM | Comments (0) | TrackBack

Saved by Pervasive Surveillance

At 26 seconds into this video, a policeman appears to tackle a bicyclist without provocation. . . . and guess who was arrested after the incident?

Yes, you guessed it, the bicyclist. If the moment hadn't been caught on tape, it's quite possible the victim here would be facing criminal charges, and the policeman in question could be plotting another assault.

More prosaically on the transportation front, car insurance firms are now offering big discounts to drivers who install technological devices that monitor driving moment-by-moment.

I predict that the car monitoring technology will gradually become an industry standard for insurers--once a critical mass of drivers adopts it, the "bonus" for installing it will quickly morph into a penalty for failure to do so (just as I've chronicled that development for other technologies in this paper). Lior Strahilevitz has given some good policy arguments for adopting a parallel (but P2P) surveillance system for drivers, and my sense is that they apply just as well here. Jonathan Zittrain warns us that "FBI can secretly eavesdrop on any automobile with [a similar] OnStar navigation system by obtaining a judge’s order and ensuring that the surveillance does not otherwise disrupt the system’s functioning," but I don't know if that concern is enough to cause me to worry here. I care about privacy, but if there's any way we can get some of the maniacs on the Garden State parkway to slow down, I think I'm for it.

The bicyclist-bashing seems like an even better case for pervasively distributed surveillance--or at least for David Brin's admonition that we must always try to "watch the watchers." Policing, like driving, may provide a special case for pervasive surveillance, despite worries like Zittrain's over the cultural consequences of pervasive surveillance:

The summed outrage of many unrelated people viewing a disembodied video may be disproportionate to whatever social norm or law is violated within that video. Lives can be ruined after momentary wrongs, even if merely misdemeanors. [Just as] too many road signs and driving rules change people into automatons, causing them to trade in common sense and judgment for mere hewing to exactly what the rules provide, no more and no less[,] . . . too much scrutiny can also turn us into automatons. Teacher behavior in a classroom, for example, is largely a matter of standards and norms rather than rules and laws, but the presence of scrutiny, should anything unusual happen, can halt desirable pedagogical risks if there is a chance those risks could be taken out of context, misconstrued, or become the subject of pillory by those with perfect hindsight. . . .

In this hyperscrutinized reality, people may moderate themselves instead of expressing their true opinions. To be sure, people have always balanced between public and private expression. As Mark Twain observed: “We are discreet sheep; we wait to see how the drove is going, and then go with the drove. We have two opinions: one private, which we are afraid to express; and another one—the one we use—which we force ourselves to wear to please Mrs. Grundy, until habit makes us comfortable in it, and the custom of defending it presently makes us love it, adore it, and forget how pitifully we came by it. Look at it in politics.”

Today we are all becoming politicians. People in power, whether at parliamentary debates or press conferences, have learned to stick to carefully planned talking points, accepting the drawbacks of appearing stilted and saying little of substance in exchange for the benefits of predictability and stability. Ubiquitous sensors threaten to push everyone toward treating each public encounter as if it were a press conference, creating fewer spaces in which citizens can express their private selves.

As Dan Solove does, Zittrain focuses on expressive realms where distributed watching can tamp down originality and spontaneity. But after the bicycle case (and similar incidents), the value of surveillance of police is clearly demonstrable. The key question is whether this salutary kind of "watching the watchers" can be accomplished without unduly impinging on the expressive realms that Zittrain and Solove describe.

PS: The bicyclist in question was part of a group called Critical Mass, which has clashed with the NYPD in the past. Law & order types in particular will probably find the police's criticisms of the group compelling--it organizes "spontaneous gatherings" to avoid regulations of protests, and has been accused of slowing down traffic (and emergency vehicles) during its bike rides. (It was also treated quite harshly for its protests at the Republican National Convention.) But however much one might dislike the group, the treatment of the bicyclist here appears utterly indefensible.

Posted by Frank Pasquale at 08:00 PM | Comments (2) | TrackBack

The New Foreign Intelligence Surveillance Act

I have been following the new FISA Amendments Act of 2008, but I have refrained from chiming in, as many others have been doing terrific blogging on the issue. Of particular note:

* David Kris, A Guide to the New FISA Bill (I, II, III)
* Wes Alwan, Understanding Recent Changes to FISA — A Visual Guide (Flowchart)
* Orin Kerr, The New FISA Law and the Misleading Media Coverage of It
* Marty Lederman, The Privacy-Protective Components of the New FISA Law
* Jack Balkin, The New FISA Law and the Construction of the National Surveillance State

I've been particularly dismayed at the Democrats' strategy in dealing with the FISA Amendments. Why bother to try to negotiate a FISA compromise with a presidential administration that has shown nothing but contempt for the law to begin with? The Bush Administration, instead of going to Congress and requesting a change in the FISA, went ahead and blatantly violated that law. And the Administration said it would continue to violate the law, so what's the pressing need to fix the FISA, especially when negotiating with an Administration that only will meet you about 2% of the way? Why force Obama to make a difficult choice about voting on the law, risking either looking weak on security or like a sell-out? Why not wait a few months and then pass a law with a new administration, one that will hopefully be easier to negotiate with? And how is this law any more binding on a president who says he has the right to violate a law based on his Article II powers?

Future presidents can learn a lot from all this -- do exactly what the Bush Administration did! If the law holds you back, don't first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That's the lesson. You spit in Congress's face, and they'll give you what you want.

The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security.

That's the direction we're heading in -- more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability -- with most of the oversight being very general, not particularly rigorous, and nearly always secret -- and with the public being almost completely shut out of the process. But don't worry, you shouldn't get too upset about all this. You probably won't know much about it. They'll keep the dirty details from you, because what you don't know can't hurt you.

Posted by Daniel J. Solove at 08:31 PM | Comments (14) | TrackBack

Justice Breyer's Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.

Posted by Deven Desai at 01:01 PM | Comments (0) | TrackBack

Is the Computer Fraud and Abuse Act Unconstitutionally Vague?

At the National Law Journal, attorney Nick Akerman (Dorsey & Whitney) contends that the Computer Fraud and Abuse Act (CFAA) indictment of Lori Drew (background about the case is here) is an appropriate interpretation of the statute:

While this may be the first prosecution under the CFAA for cyberbullying, the statute neatly fits the facts of this crime. Drew is charged with violating §§ 1030(a)(2)(C), (c)(2)(B)(2) of the CFAA, which make it a felony punishable up to five years imprisonment, if one "intentionally accesses a computer without authorization . . . , and thereby obtains . . . information from any protected computer if the conduct involved an interstate . . . communication" and "the offense was committed in furtherance of any . . . tortious act [in this case intentional infliction of emotional distress] in violation of the . . . laws . . . of any State."

There is no question that the MySpace network is a "protected" computer as that term is defined by the statute. Indeed, "[e]very cell phone and cell tower is a 'computer' under this statute's definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget." U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005). There is also no question that a violation of MySpace's TOS provides a valid predicate for proving that the defendant acted "without authorization." What the commentators ignored in their critique of this indictment is that the "CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers." EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). A company "can easily spell out explicitly what is forbidden." Id. at 63. Thus, companies have the right to post what are in effect "No Trespassing" signs that can form the basis for a criminal prosecution.

If this interpretation of the law is correct, then the law is probably unconstitutionally vague. A vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. The CFAA, as construed by the prosecution in the Drew case, will probably be found vague because it authorizes or encourages arbitrary and discriminatory enforcement.

Suppose I put a notice on this post that says: "No attorneys may post a comment to this blog." Suppose Nick Ackerman comes to this site, sees this post, and and writes a comment that is defamatory. Under his theory, he can be prosecuted for violating the CFAA. He has "trespassed" on this site. Moreover, if a blog has a policy that it will not tolerate "rude, uncivil, or off-topic comments," then commenters who make such comments that are tortious (intentional infliction of emotional distress, public disclosure of private facts, false light, defamation, etc.) can be liable for a CFAA violation. Moreover, any use of a website that goes against whatever terms the operator of that site has set forth that constitutes a negligence tort is also criminal.

The problem here is that the CFAA's applicability would be extremely broad -- so broad that the cases likely to be prosecuted would be arbitrary. Since tort law is common law, and is very flexible, broad, and evolving, people would not have adequate notice about what conduct would be legal and not legal. There's a reason why tort law is different from criminal law -- we are willing to accept a lot more ambiguity and uncertainty in tort law than in criminal law, where the stakes involve potential imprisonment.

Moreover, Nick Akerman only focuses on the CFAA § 1030(c)(2)(B)(2), which makes it a felony to exceed authorized access if the offense was committed in furtherance of any tortious act.

The CFAA § 1020(a)(2)(C) makes it a criminal misdemeanor to "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication." If I'm interpreting this correctly (and I don't purport to be an expert on the CFAA), under the Drew prosecutor's interpretation of the CFAA, any time a person violates a website's terms of service and access any information from the site, there's a criminal violation. That means that if I post on this blog a notice that says: "No attorneys may access any other parts of this blog other than the front page," and an attorney accesses any other page on my blog, then there's a CFAA violation. Could the law possibly be this broad? I think it would require a narrowing interpretation in order to avoid problems of unconstitutional vagueness.

The CFAA strikes me as a very poorly drafted statute. The Drew indictment demonstrates the problems with the law. Either courts should fix the CFAA interpretively by narrowing its scope, or else strike it down as unconstitutionally vague. But what clearly cannot stand is for the law to be interpreted as the Drew prosecutor seeks to interpret it.

Hat tip: Dan Slater at the WSJ Blog

Posted by Daniel J. Solove at 02:29 PM | Comments (14) | TrackBack

My New Book, Understanding Privacy

I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what "privacy" means and why it is valuable. Professor Arthur Miller once wrote that privacy is "exasperatingly vague and evanescent." In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here's a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn't focus on the nature of the information, the individual's preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I've updated the taxonomy in the book, and I've added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

Posted by Daniel J. Solove at 12:03 AM | Comments (5) | TrackBack

Little Brother

Cory Doctorow’s latest novel, Little Brother, is technically a young adult novel, but there is something in there for anyone interested in cyberlaw, security, national security law, and oh yeah, a rather fun, although at times scary, tale. In classic Cory fashion, he has made the book available for free (yes well before law profs such as Benkler and Zittrain did so, Cory has been a leader in the world of I-make-money-by-giving-away-my-creations). He also allows people to remix and share the new work. The downloads and remixes are licensed under a Creative Commons Attribution-Noncommercial-ShareAlike license. Now that is a business model of the new economy. For those wondering whether this approach works, it does for Cory if making the New York Times Kids Bestseller list matters. (Scoff at your own risk. Remember kids are a tremendous market). So on to the book.

Some tech/sci-fi writers give up story for ideas. They offer great fun and build excellent worlds, but when it comes to ending the story, they fall short. (I am thinking of early Stephenson here) Little Brother, however, delivers both ideas and story. That is great because one can dive in and enjoy the characters as they navigate the modern day 1984 world of the United States.

Despite, or perhaps because, the characters and the story draw one in, the details of this world are not all fun and games. Hacking, government power, security, racism, freedom, and more swirl around as decent teens trying to have a life, trying to grow and express themselves, and trying to make mischief, crash into a new world. Anyone who remembers useful acts of rebellion and the learning that goes with them should be able to identify with these kids. The beauty of having kids as main characters is that kids often have parents. Doctorow uses the parents quite well. They express the natural desire for stability and the way that once freedom-loving individuals can easily change as they age and see the world through a lens of how-do-I-protect-my-family? Whether they will protect their kids and what the protection will look like was a subtle but important theme which Doctorow navigates well. Perhaps thoughts of becoming a father fueled this sensitivity; perhaps not. Either way it works.

Some of the text tantalizes with ways for individuals to keep their communications free, secret, and/or anonymous as context requires. Exploring those issues allows Doctorow to investigate how trust of other individuals, businesses, and the government work together to create the world we enjoy or what happens if that trust fails. Cory is not shy. He does not stop there. The relationship between federal and state government, the role of the press, and how individuals can or cannot impact the system are all in play as well.

I will stop here as I do not want to give away the details. There is more to discuss, but I also hate spoilers. So here is a possible solution. For those wishing to see Cory’s take on his book check out his post on John Scalzi’s Big Idea series. In addition, Cory is quite busy, but we hope to do a phone interview this summer. That way the law issues can be addressed and those who wish to avoid spoilers can. No promises but if he and I can connect, it should be fun.

Last, you may wonder whether I’d say buy the book given that it can be downloaded for free. Well yes I would say buy it as it keeps Cory funded. Yet, what if you decide to download it? Should you donate to Cory? No. In fact he would prefer you buy a copy for you or someone you love as it works better for his publisher and him. Or ever the innovative person, Cory has another idea you may wish to pursue: a donation program for the book. In short, Cory and his assistant have assembled a list of libraries and schools that want the book. He suggests that people who downloaded the book and want to give him money, find a library or school, buy the book online, and ship it to the school. Everybody wins: the public, the publisher, and Cory (who will receive royalties). Cory sent me the file before he put it online so I could review it. Still, I plan on following his suggestion and donating a book.

Image: Courtesy of Pablo Defendini
The image is an early sketch for a potential paperback cover. Mr. Defendini has a portfolio that you may enjoy too.

Posted by Deven Desai at 12:50 PM | Comments (1) | TrackBack

Megan Meier Case Update -- Drew Indicted

I've blogged about the Megan Meier case a while ago. This is the case where Megan Meier, a teenager, committed suicide after her online friend from Myspace suddenly started to reject her and say mean things to her. The "friend" on Myspace was actually Lori Drew, the mother of one of her classmates, and some other individuals. They created the fake profile and were pretending to be Meier's fictional friend.

Now, Drew has been indicted by a federal grand jury for a violation of the Computer Fraud and Abuse Act (CFAA). Here's the indictment.

Drew was charged with conspiracy as well as three counts of accessing protected computers without authorization. According to the indictment:

On or about the following dates, defendant DREW, using a computer in O'Fallon, Missouri, intentionally accessed and caused to be accessed a computer used in interstate commerce, namely, the MySpace servers located in Los Angeles County, California, within the Central District of California, without authorization and in excess of authorized access, and, by means of interstate commerce obtained and caused to be obtained information from that computer to further tortious acts, namely intentional infliction of emotional distress on [Megan Meier].

From the AP:

Each of the four counts carries a maximum possible penalty of five years in prison.

Drew will be arraigned in St. Louis and then moved to Los Angeles for trial.

The indictment says MySpace members agree to abide by terms of service that include, among other things, not promoting information they know to be false or misleading; soliciting personal information from anyone under age 18 and not using information gathered from the Web site to "harass, abuse or harm other people."

Drew and others who were not named conspired to violate the service terms from about September 2006 to mid-October that year, according to the indictment. It alleges that they registered as a MySpace member under a phony name and used the account to obtain information on the girl.

Drew and her coconspirators "used the information obtained over the MySpace computer system to torment, harass, humiliate, and embarrass the juvenile MySpace member," the indictment charged.

UPDATE: Over at the Volokh Conspiracy, Orin Kerr believes that the indictment should be dismissed. Kerr believes that it is a stretch to apply the CFAA to violations of a site's terms of service.

If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed? If you violate the Terms of Service, are you committing a crime?

Kerr also argues that the prosecution will have a ver yhard time demonstrating that Drew intended to violate MySpace's terms of service. He writes: "But here there is no evidence that Drew even read the TOS. Most people don't, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn't aware that she was violating the TOS, she couldn't be exceeding her authorized access intentionally."

I agree with Kerr on these first two reasons. While Drew's conduct is immoral, it is a very big stretch to call it illegal.

Kerr offers a third reason why the indictment is faulty -- it is unclear whether the goal of the conspiracy was to obtain information, as was charged in the indictment. Kerr writes: "[I]t doesn't seem that Drew had the intent to obtain information from her victim. Her apparent goal was to harass her victim and to cause emotional distress, not to obtain information from her." On this reason, however, I'm not so sure I agree. The news accounts I read about the case indicated that one of Drew's primary motivations for creating the fake profile was to learn information from Megan Meier. She wanted to know information from Megan that pertained to her own daughter, who was a classmate of Megan's. The harassing came later on.

Posted by Daniel J. Solove at 05:46 PM | Comments (5) | TrackBack

Data Mining and the Security-Liberty Debate

My short essay, Data Mining and the Security-Liberty Debate, 74 U. Chi. L. Rev. 343 (2008) has just been published. I've posted the final version on SSRN. Here's the abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government's assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining's security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

The essay critiques arguments by Richard Posner and William Stuntz, as well as Eric Posner and Adrian Vermeule's Terror in the Balance: Security, Liberty, and the Courts.

Posted by Daniel J. Solove at 12:51 AM | Comments (1) | TrackBack

The Digital Person Free Online!

Last month, Yale University Press allowed me to put my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet online for free. The experiment has gone quite well. The book's website received a big bump in traffic, with many people downloading one or more chapters. The book's sales picked up for several weeks after it was placed online for free. Sales have now returned to about the same level as before the book went online.

I'm delighted to announce that NYU Press has allowed me to put my book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, 2004) online for free.

Here's a brief synopsis of The Digital Person from the book jacket:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. These databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases--which Daniel J. Solove calls “digital dossiers”--has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. In THE DIGITAL PERSON, Solove engages in a fascinating discussion of timely privacy issues such as spyware, web bugs, data mining, the USA-Patriot Act, and airline passenger profiling.

THE DIGITAL PERSON not only explores these problems, but provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Book reviews are collected here.

Posted by Daniel J. Solove at 12:08 AM | Comments (0) | TrackBack

The NSA: The Total Information Awareness Agency

Remember when, about five years ago, a program called Total Information Awareness (TIA) came to light. TIA was a plan to create a massive government database of personal information which would then be data mined. The program led to a public outcry, with William Safire writing a blistering op-ed in the New York Times attacking TIA. In 2003, Congress voted to deny it funding.

According to the Wall Street Journal, something very similar to TIA is now being done by the NSA:

The National Security Agency, once confined to foreign surveillance, has been building essentially the same system.

The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people's communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks. . . .

Largely missing from the public discussion is the role of the highly secretive NSA in analyzing that data, collected through little-known arrangements that can blur the lines between domestic and foreign intelligence gathering. Supporters say the NSA is serving as a key bulwark against foreign terrorists and that it would be reckless to constrain the agency's mission. The NSA says it is scrupulously following all applicable laws and that it keeps Congress fully informed of its activities.

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called "transactional" data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA's own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge's approval when a link to al Qaeda is suspected.

The article continues, discussing how the debate over the Foreign Intelligence Surveillance Act (FISA) and immunity for telecommunications companies is only getting at the tip of the iceberg:

It isn't clear how many of the different kinds of data are combined and analyzed together in one database by the NSA. An intelligence official said the agency's work links to about a dozen antiterror programs in all.

A number of NSA employees have expressed concerns that the agency may be overstepping its authority by veering into domestic surveillance. And the constitutional question of whether the government can examine such a large array of information without violating an individual's reasonable expectation of privacy "has never really been resolved," said Suzanne Spaulding, a national-security lawyer who has worked for both parties on Capitol Hill.

NSA officials say the agency's own investigations remain focused only on foreign threats, but it's increasingly difficult to distinguish between domestic and international communications in a digital era, so they need to sweep up more information.

All this occurs with little to no oversight. Congress seems unwilling to perform much of an oversight role. The courts are not all that excited about it either. The Supreme Court has already limited the reach of the Fourth Amendment, making it possible for the government to collect records from businesses with no oversight and few limits. The courts today are finding many ways to dismiss lawsuits challenging the NSA surveillance -- through an expansive application of the state secrets doctrine or through uncharitable views of plaintiffs' standing to bring a challenge. The Executive Branch, it seems, can do whatever it wants. All of this strikes me as a tremendous failure of our political system.

Posted by Daniel J. Solove at 10:24 AM | Comments (0) | TrackBack

The FBI Does It Again

From the Associated Press:

The FBI acknowledged it improperly accessed Americans' telephone records, credit reports and Internet traffic in 2006, the fourth straight year of privacy abuses resulting from investigations aimed at tracking terrorists and spies.

The breach occurred before the FBI enacted broad new reforms in March 2007 to prevent future lapses, FBI Director Robert Mueller said Wednesday. And it was caused, in part, by banks, telecommunication companies and other private businesses giving the FBI more personal client data than was requested.

Testifying at a Senate Judiciary Committee hearing, Mueller raised the issue of the FBI's controversial use of so-called national security letters in reference to an upcoming report on the topic by the Justice Department's inspector general.

An audit by the inspector general last year found the FBI demanded personal records without official authorization or otherwise collected more data than allowed in dozens of cases between 2003 and 2005. Additionally, last year's audit found that the FBI had underreported to Congress how many national security letters were requested by more than 4,600.

At the end of the article is a very apt quote by a former FBI official:

"The credibility factor shows there needs to be outside oversight," said former FBI agent Michael German, now a national security adviser for the American Civil Liberties Union. He also cast doubt on the FBI's reforms.

"There were guidelines before, and there were laws before, and the FBI violated those laws," German said. "And the idea that new guidelines would make a difference, I think cuts against rationality."

I've long recommended that the FBI be better regulated and placed under better oversight:

A charter defining the FBI’s scope and powers as well as requiring more regular congressional oversight would go a long way to ensuring against the terrible abuses of the FBI’s past. A detailed proposal for such a charter is beyond the scope of this Article. The bulk of such a charter, however, could be composed by codifying existing internal FBI Guidelines into law. The Church Committee recommended a legislative charter to govern intelligence gathering activities, but many of the Committee’s proposals were put into operation through executive orders and guidelines. Executive orders and Attorney General Guidelines are the “primary source of authority for national security surveillance.”

Unfortunately, executive orders and guidelines can all be changed by executive fiat, as demonstrated by Ashcroft’s substantial revision to the guidelines in 2002. Moreover, the Attorney General Guidelines are not judicially enforceable. The problem with the current system is that it relies extensively on self-regulation by the executive branch. Much of this regulation has been effective, but it can too readily be changed in times of crisis without debate or discussion. Codifying the internal executive regulations of the FBI would also allow for public input into the process. The FBI is a very powerful arm of the executive branch, and if we believe in separation of powers, then it is imperative that the legislative branch, not the executive alone, become involved in the regulation of the FBI. The guidelines should be judicially enforceable to ensure that they are strictly followed.

I recommend that the original FBI guidelines, under Attorney General Levi, should be used as the foundation for a legislative charter for the FBI. The Levi Guidelines were crafted to prevent the abuses chronicled by the Church Committee, and they provide strong limits on the use of surveillance directed at free speech and political activities. The threshold standards of the Levi Guidelines are more meaningful than the watered-down versions employed in subsequent revisions. The Levi threshold standards are not insurmountable—they are a practical compromise between privacy and effective law enforcement that safeguards against abuses.

Additionally, the charter should require Congress to undertake an extensive assessment of intelligence activities at five- to ten-year intervals. This assessment would be similar in scope to the Church Committee Report. The Church Committee performed a profoundly valuable service, exposing and memorializing surveillance abuses that occurred over a period of about forty years. This kind of thorough accounting of the often clandestine activities of governmental intelligence agencies should not be an isolated undertaking.

Posted by Daniel J. Solove at 12:17 PM | Comments (0) | TrackBack

Well, at Least We Have FOIA....Or Maybe Not

The Senate just passed a major amnesty for telecommunications companies accused of illegal surveillance. Glenn Greenwald notes that the bill would "provide full retroactive amnesty to lawbreaking telecoms, thus forever putting an end to any efforts to investigate and obtain a judicial ruling regarding the . . . spying programs."

Well, at least we can count on the the Privacy and Civil Liberties Oversight Board to assure that things like this don't happen in the future. Or, maybe not. . . it turns out that the "original five members saw their terms expire in January and they have not been replaced."

Can FOIA help us keep tabs on the scope of surveillance programs? After all, Republican John Cornyn helped pass into law last year an Open Government Act that was supported by large majorities in both houses of Congress. It created an independent ombudsman position designed to improve the torpid FOIA process. President Bush signed it, but. . .

[B]uried in the President’s mammoth . . . budget document, on page 239, at the appendices of the Commerce Department section. . . is a phrase that does not mention FOIA, the Freedom of Information Act, does not mention the Office of Government Information Services, which is the name of the ombudsman, does not mention the National Archive. It just has . . . [a] pithy little phrase that says, “This position will no longer exist.” And all duties are transferred to the Justice Department. What makes this so egregious is the Justice Department is the very agency that’s been criticized for not enforcing the Freedom of Information Act . . . .

Uh-oh. As journalist Rebecca Carr notes, "There [are] some Freedom of Information requests languishing in excess of 15 years. That’s far in excess of the 20-day time limit."

Posted by Frank Pasquale at 06:57 PM | Comments (1) | TrackBack

Can You Sue If a Computer Reads Your E-mail?

Thanks Dan for the welcome, and I'm excited to be guest-blogging at Concurring Opinions again. I had intended my first post to be a continuation of the discussion Dan and I were having in the comments last week about heightened review for subpoenas to unmask anonymous actors on the internet, but events have overtaken me. Orin Kerr over at the Volokh Conspiracy has put up a post querying whether network-level filtering for copyright-infringing materials would violate the Wiretap Act; Orin appears to believe that it would, at least without consent from every potential sender of material that was scanned. This merges two of my areas of interest, copyright and electronic privacy law.

First of all, the report is a little sketchy, but it looks to me like the topic came up as possibly an off-the-cuff remark or an answer to a question at the CES conference in Las Vegas. It doesn't appear that anyone is proposing implementing this right away. But the idea seems to be that network intermediaries -- either ISPs serving individual subscribers, such as Comcast or Verizon, or perhaps ISPs closer to the Internet backbone, such as Level 3 or Sprint -- may be able to use fingerprinting technologies to detect and block copyrighted content transiting the network as a way of preventing infringement.

There might be all sorts of practical problems with this. How would a filter distinguish between authorized and unauthorized downloads, for example? But that's not what intrigues me right now. The question I want to focus on is, would this violate the Wiretap Act? It's arguable, but I don't think it would. I don't believe an automated scan of communications, where no permanent copy is made, violates the Act.

Of course, as a cautious lawyer (perhaps a redundant description), I'd certainly advise any telecommunications company to be wary before proceeding here. The ECPA, including the Wiretap Act, is a convoluted statute with a lot of unclear terminology. In essence, the Wiretap Act prohibits intentional interception of an electronic communication. There's an exception for consent -- that's why receiving an email is not a violation of the Act -- but Orin's already indicated why consent might be hard to obtain here from everyone. Could telecommunications companies do this kind of filtering without consent?

I agree with Orin that it doesn't seem that the exceptions allowing service providers to intercept communications for business-related reasons -- Sections 2510(5)(a)(ii) and 2511(2)(a)(i) -- would be of much help. In order to take advantage of the first of these exceptions, the service provider would need to be able to claim that filtering traffic for files infringing on the rights of others is "the ordinary course of its business." Perhaps that will become the ordinary course of business someday, but it doesn't seem to be right now. The second provision cited above specifically rules out "utiliz[ing] service observing or random monitoring" except for quality control, so that's no help either.

Nevertheless, I think there may be room in the Act for automated filtering. It all hinges on the definition of the term, "intercept." The central provision of the Wiretap Act makes any person who "intentionally intercepts ... any wire, oral, or electronic communication" liable. "Intercept" is defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." So, in order to violate the Act, one has to (1) intentionally (2) use a device to (3) acquire (4) the contents of a communication.

What does it mean to "acquire" the contents of a communication? That has always been a little unclear. Here's what I wrote in a chapter on civil applications of the ECPA in the PLI treatise, Proskauer on Privacy:

The issue of what qualifies as “acquisition” has proven more difficult. “Acquisition” is not defined in the act, nor is its interpretation necessarily straightforward. For example, are the contents of a communication that is routed somewhere other than the intended destination, but not listened to or recorded, “acquired” for purposes of the act? What about a communication that is recorded but not listened to? Or a communication that is recorded pursuant to an exception, such as by a party, but later acquired and listened to by someone else?

Courts have struggled with the answers to these questions ever since the Wiretap Act was adopted. For example, a telephone conversation may be intercepted by attaching a wire to a telephone line and stringing that wire to a speaker where the conversation is converted back to sound and overheard by a third party. At what point has interception occurred? One theory is that the interception occurs at the moment the signal in the line branches off to the wire installed by the wiretapper. The newly installed wire itself is the “device,” and the diverted signal is the “acquisition,” even if no speaker is attached at the other end. An alternative theory is that the interception occurs when the signal is converted back to sound at the speaker attached to the wire; the speaker is the relevant “device,” and the reconversion to a human-perceptible form is the “acquisition.” A third alternative is that the interception only occurs if a human listener hears the sound waves produced by the speaker. The speaker is still the “device,” but acquisition does not occur unless a human listener is there to overhear the conversation.

In most cases involving live surveillance of the sort just described, the dividing line between wire, speaker, and listener will not be of critical importance, since all three events will occur nearly simultaneously, and it will likely be the case that the same person or group of people attached the wire and the speaker and are using the apparatus. But interception can also be accomplished by recording a communication for later playback. In such a case, does the interception occur

(a) when the signal is diverted;

(b) when the recording is made; or

(c) when the recording is listened to?

One early case to resolve this issue looked at a tape recording that had been made by one participant in a drug transaction. United States v. Turk, 526 F.2d 654 (5th Cir. 1976). When the police searched his car, they found the tape and listened to it. The other person on the tape, Frederick Turk, was then charged with perjury for having lied to the grand jury. When the police listened to the tape, was that an interception in violation of the Act? The Fifth Circuit said no -- the first acquisition occurred when the recording was made, with the recorder serving as the "agent of the ear." Turk's colleague intercepted the conversation by recording it, but he did so with consent -- his own. The police then acquired a lawfully intercepted recording. Most courts have followed Turk -- an acquisition occurs no later than the point some device records the conversation, even if the recording is destroyed without anyone ever listening to it. As the Turk court put it, "In a forest devoid of living listeners, a tree falls. Is there a sound? The answer is yes, if an active tape recorder is present, and the sound might be thought of as 'aurally acquired' at (almost) the instant the action causing it occurred."

OK, so copying a communication is enough for a violation, even if no human ever reads it or listens to it. But what about the situation where no recording is made and no human is present to read or listen to the content at issue? For example, suppose a wire communication is tapped, and the tap goes to a speaker in an empty room, where it goes unheard. Is that still an "aural or other acquisition"? Turk waffled on that point, and there have been very few cases that have looked at it. One was the Fourth Circuit's decision in Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994), a case premised in part on the somewhat dubious conclusion that recording incoming calls to help capture bomb threats is not use "in the ordinary course of business." In another part of the opinion, the court reached the issue of whether conversations that were picked up by a microphone in a security office and, unbeknownst to everyone, were directed to a speaker in another area of the plant that apparently was set to a very low volume, had been "aurally or otherwise acquired" under the Act. The court held that it was "satisfied" that no acquisition had occurred. A district court in New Jersey reached a similar conclusion, holding that acquisition occurs when a device either directs a conversation to a human or when it is "permanently memorialized, a feat impossible for a wire to perform." Pascale v. Carolina Freight Carriers Corp., 898 F. Supp. 276, 280 n.1 (D.N.J. 1995).

I think these decisions are a reasonable interpretation of "acquisition." Acquisition means enabling a human to perceive the contents of a communication, either by bringing that communication to a place where humans are present, or by recording it for future perception. If that is the correct interpretation of "acquisition," then automatic scanning of the contents of a communication by a computer is not "acquisition." It neither carries those contents to a human for perception, nor does it capture them for later perception. So programs like Google's Gmail service, which automatically scans email content for advertising keywords, would be fine even without consent on this view. So would the ISP filtering at issue in Orin's post, so long as no contents from the communication are recorded or transmitted to humans. Indeed, given that qualificati