We're from the ACLU, Cato, CDT, and Techdirt, fighting for everyone’s online freedom and privacy. Ask us anything about our absurdly outdated electronic privacy laws and how we can fix ECPA.

I'm going to pause for a moment and shill for ECPA reform. See the links above for more detail on what it is and why it needs reform, but if you agree please sign our petition to support updating it: https://petitions.whitehouse.gov/petition/reform-ecpa-tell-government-get-warrant/nq258dxk

Yes I shamelessly have my hat out for petition signatures. But as my son told me recently about Christmas, "How are you supposed to know what I want unless I tell you?"

Do these petitions actually do anything? They seem like an echo chamber that politicians give us to provide the illusion of them listening.

They're most effective when combined with other things. As part of a larger campaign they can strengthen the hand of people advocating on your behalf on the inside for example. But yes in isolation the message/focus can be lost. When I'm thinking signing something like this I usually try to determine if someone is actually going to follow up on it and actually do something more.

Yes, they can and do work. As Chris said, not by themselves, but as a part of a larger campaign they have worked in the past and will work again. The WH has frequently used these petitions as a reason to stake out a position, noting that "the public" supports it. They use it as a sort of cover -- and there are strong indications they may do the same here if this petition gets the votes.

Again, though, the petition in combination with a larger campaign can work. I know people are cynical about the petitions, and the WH does ignore many of them, but that doesn't mean that all are ineffective.

What else can/should people do in addition to signing this petition?

Call your representative. Share the petition. Share the infographic. Make people more informed.

Looking at the petition, and I see that it urges Obama to support "ECPA reform." Do you have any good specific points of reform that we are pushing for. I'd like to be able to list them off to my rep instead of just urging her to "support reform"

Also, my senators are Feinstein and Boxer. Will calling them have any effect?

A lot of the focus is on the reform bills currently in Congress. You can see the Leahy/Lee Senate version here: http://www.leahy.senate.gov/download/section-by-section-ecpa-reform-bill

[deleted]

I don't think there is any one real problem. There are a number of interdependent bad laws. ECPA reform will have a big impact on how law enforcement operates. This is certainly true for state and local police who never get anywhere near NSA information but also for the FBI.

The Supreme Court certainly may weigh in at some point but I think it's fair to say that we are much further along in terms of passing a new law then we are in advancing a case to the Supremes that might fix ECPA.

How do you reply to the criticism that the government cannot access the data it needs via warrant if it wasn't recorded in the first place?

Well if it wasn't recorded there is nothing to get, warrant or no. If they say that it might be deleted before they can get it, well the gov't always has the power to issue an order (called a preservation order) that requires companies to not delete stuff. They don't turn it over unless they get the right legal process but they won't delete.

In what way can intelligence agencies find a balance between national security and privacy of citizens?

It's hard for me to do better than my colleague Mike German (a former FBI agent):

I had been working for the FBI for 16 years and domestic terrorism for 12 years. What I understood was that the rules that are designed to protect privacy also help the government focus on people who are real threats. It works both ways. This idea that we trade our privacy for more security is just false. Spying on you won’t help the government find a terrorist. It’s a waste of resources, a waste of effort that also violates our rights.

Read the whole thing if you can - he provides lots of detail to emphasize this: http://dailycaller.com/2013/11/05/former-fbi-agent-mike-german-talks-about-the-nsa/#ixzz2mcaHEqCj

BTW there is nothing cooler than working down the hall from a guy who used to work as an undercover FBI agent. The stories I get to hear on a slow Friday afternoon are pretty great.

That is simply easy-way-out nonsense. There does exist a tension between security and privacy, one which has been acknowledged for centuries. In this day and age, talking about focusing on the real threats is even more nonsensical than in the past, as we now have the technology to process vast amounts of information with minimal added resources.

We need to realize that our rights don't exist because they are the most efficient way to go about business and that it it worth some risk to have a world where people are still free.

Privacy and security are not directly at odds, but there is a real conflict.

Whether or not you think my framing is right (certainly a fair point - sometimes something is just the right thing to do!) I disagree that vast amounts of information actually change the equation that much.

Time and time again we've seen that the information exists, it was just buried under mounds of other useless information. To use a crude analogy - its really hard to connect the dots when there are so many of them that the page is black.

Researchers have found this - datamining is not an effective way to catch terrorists: http://www.nap.edu/catalog.php?record_id=12452

I think it's a little dangerous to automatically assume that there's a "balance" between the two. You don't need to give up privacy to protect security. In fact, giving up privacy seems to rarely protect security, and in some cases can actively harm it (such as when backdoors are put into software you thought was secure).

At the very least though, it is difficult to see how anyone can argue with the basic concept of requiring a warrant for searches through private information. This is the thread that runs through both the ECPA issue and the NSA stuff. The government seems to go out of its way to avoid a warrant. If there is a truly serious issue and law enforcement can make a credible claim, it's not difficult for them to get a warrant. So why are they so resistant to it? Seems likely because they know they're overreaching in grabbing all sorts of unnecessary information just because they can.

Hey, this is Julian Sanchez. I'm a fellow with the Cato Institute in Washington DC who covers surveillance and digital privacy (issues I previously wrote about as the DC editor for Ars Technica & a blogger for the Economist). You can hunt down stuff I've written on these topics over at Cato.org or at the new blog JustSecurity.org

Hi Mr. Sanchez,

I recently moved to Washington, D.C. To pursue a career in public policy. What advice would you have for a recent graduate looking to work with a think tank, such as Cato?

An internship never hurts to get a foot in the door; organizations like the America's Future Foundation can be helpful for networking. Beyond that, check the job listings—plenty of folks have started as research assistants and moved up to substantive policy work.

Hi Julian, I have a question.

On a whole I don't agree with your positions on the free market, and healthcare. If I feel the latter two are higher up on my list of things to worry about. Why would I want to throw support behind you?

Well... you probably wouldn't want to. Instead, you can throw your support behind institutions like EFF & CDT & ACLU that work for civil liberties and don't also do stuff you disagree with. But we have many smart scholars, and I hope you'd at least take a look at their arguments now and again; maybe they'll convince you on some of those issues.

Howdy. I'm excited to be doing this. I'm going to dive into the questions in sec but it only seems polite to introduce myself. I'm Chris Calabrese. I've been an ACLU lawyer for almost 10 years and am one of the ACLU's privacy lobbyists. My focus is basically on everything privacy that is not the NSA. Looking forward to a wide ranging discussion about email privacy and other fun tech privacy issues!

Who as oversight over the FISA court? Isn't having a secret court system the root of the problem?

That is certainly one issue: The Court itself is selected unilaterally by the Chief Justice of the Supreme Court (John Roberts) and really only answerable to the Supreme Court. Except since only the government normally appears before the FISC, the Supreme Court would typically only become involved if the government chose to appeal the denial of an order. But possibly a broader problem is the limits on the FISC's own discretion: In many cases, the statute assigns the Court some kind of minimal oversight role, but effectively requires them to grant the authority sought provided the applying agency has checked off all the relevant boxes on the form.

One of the things that advocates have pushed for on FISC reform is more transparency and oversight - Rep. Jim Sensenbrenner (author of the Patriot Act, btw) and Sen. Leahy have a bill--the USA Freedom Act--that would do several things in this area: It would create a special advocate to promote privacy interests before the Court; it would create new requirements to make sure Congress is more informed of the actions taken by FISC; and it would require the disclosure of all FISC opinions that contain a significant interpretation of the law.

Do you think an ammendment protecting privacy and freedom on the internet will be necessary to protect us from spy agencies? So far the bill of rights hasn't stopped them and with all of the bills being introduced to limit the once open internet it seems inevitable that the internet as we know it will soon be much more heavily censored and watched.

And if an ammendment was proposed now to protect privacy online do you think it could pass?

I think we need to strengthen the 4th Amendment which has always been slow to adapt to new technology. For example, for 50 years it was legal to listen to phone calls without a warrant and the first Supreme Court case actually held that. It wasn't until the 1960s (US v Katz) that the court ruled that unconstitutional.

In the meantime though it will certainly help to update our laws.

I don't see how an amendment gets passed, and really how you'd distinguish it from the 4th Amendment in the first place... Also, getting any kind of Constitutional amendment through these days is nearly impossible (how many people here were alive the last time a new amendment was proposed and ratified?).

Instead, the focus needs to be on restoring the 4th Amendment to what its clear purpose was. That's going to require changes to laws by Congress, but also (hopefully) some clarification from the Supreme Court on how things like Smith v. Maryland are being misinterpreted to act as cover for bulk data collection.

On a scale of 1-10, 1 being absolutely no privacy, and 10 being total privacy, how would you rate where we are right now? And where do you expect we will be in say 50 years given your understanding of the forces at work?

Also, what is your favorite Christmas song?

Other commenters may (likely will) disagree with this, but I think that putting privacy on a "sliding scale" is a little misleading. When privacy is done right it's about tradeoffs that you get to make.

Here's an extreme example: when you leave your house to go to the store, you are giving up a tiny bit of your privacy (someone can see you walking down the street, they might see where you live, or what store you shopped in and what you bought). But you consider that tradeoff to be worth it to get some food/take a walk/get some fresh air/whatever. But, at least in that case, you understand the basic tradeoffs and are making a conscious decision of "this is worth it for the little privacy I'm losing."

So I have trouble with the idea of "total privacy" because basically no one really wants total privacy. But what people do tend to want is both a knowledgeable understanding of what the tradeoffs they're facing are, and to be able to make the decisions themselves if they're worth it.

The problem we're seeing with things like ECPA and the NSA stuff is that we aren't given the information, we have no way to make the choice, and the "tradeoff" we're being given is a terrible deal. So rather than trying to get to "total privacy" I think we need to be getting towards greater knowledge, transparency, oversight and the ability for individuals to make reasonable decisions about their own privacy.

And, while I'm not a huge fan of Christmas music generally (sorry!), to keep the theme going, I think it's gotta be "Santa Claus is Coming to Town" for this particular AMA. "They know when you are sleeping. They know when you're awake. They know if you've been bad or good... so encrypt for goodness sake."

Not sure how meaningful a number would be, but looking forward 50 years, I think it's easy to imagine a scenario where massive databases assembled for Extremely Important National Security Purposes (regardless of how well they serve those purposes) are gradually made accessible to more components of government, first for ordinary law enforcement, and eventually for administrative and regulatory purposes.

And "Fairytale of New York" by the Pogues. (Honorable Mention, The Eels "Everything's Gonna Be Cool this Christmas")

Julian is definitely the coolest of the four of us on this AMA - as evidenced by his song choices

I view privacy as a continuum of rights. We are getting scarily close to a 2 in terms access to information. Right now the NSA attitude for example seems to be any electronic record is our, and it's totally legal. Given that everything is an electronic record that is pretty scary.

However governments (and companies) aren't always using everything they know either because of legal rules or because they realize it would freak people out. So say a 5 with a serious downward drift.

And Silent Night.

edited for typos - likely to be a theme :)

This is a tough question, there are so many variables. I'll answer it in terms of domestic digital privacy, which is what the Electronic Communications Privacy Act (ECPA) deals with. I would say we're at a 3. And the only reason I say that is that some of the big Internet companies have started to push back against ECPA, which most see as unconstitutional, and they are actually demanding warrants for their customers' communications content. This is awesome. But the fact that there is a law on the books that says the government can get our most private communications content without a warrant is simply unacceptable. It flies directly in the face of our Fourth Amendment values, and until it's updated to require a warrant for all communications, we won't have strong digital domestic privacy.

For the song - it has to be Santa's Coming to Town, right? We're talking privacy, and he knows if you've been bad or good...

Also, speaking of Christmas and privacy, check out this Stop Spying on Santa site

What do you think is the best way to build public support for NSA oversight reforms/improved digital privacy protection? I've found that most people who shrug these concerns off know little about technology, so is the answer to inform and educate more people about technology and THEN tackle digital privacy and Fourth Amendment rights?

Education is certainly key but I also wouldn't overlook pushing people who do understand the problem. Your tech savvy friends may well get it but not be acting on it - we're all busy people! Encourage them to sign a petition or send a letter to a Congressperson (yes they do read them - especially if they're individualized).

Signing the ECPA reform petition now. Thanks!

Thank you! At the end of the day that's really the only way to do it - one action at a time.

how can we defeat the "I have nothing to hide so why does it matter?" crowd? Complacence is the state of life in America these days.

Ask for their Google password.

How do you feel about the Supreme Court refusing to hear the case on domestic spying even though it's a clear violation of the fourth amendment?

The Court will certainly have other chances. Our case, ACLU v Clapper, is certainly one. The Court frequently likes to build up a record and gather opinion from the lower courts - I don't think we've heard the last of the issue.

Could the 3rd Amendment be used in a privacy case?

Some analogy along these lines: the NSA (or pick the agency) acts as a military force that resides in our homes and interferes in how we live our lives due to the lack of privacy.

Why or why not?

Honestly I no idea. :) The 3rd Amendment isn't one that we spent a lot of time with in law school (FYI it deals with quartering solders in people's homes). My suspicion is that most courts would view the 4th Amendment as more applicable because it deals with being secure in your home, papers and effects.

My friend Alan Butler has actually written about this! https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2257078

Hi, this is Mark Stanley, campaign and communications strategist at the Center for Democracy & Technology, a digital rights group working in DC - I've been working on digital surveillance issues for several years now, from CISPA, to NSA surveillance, to ECPA, and I'm really excited to take part in this.

[deleted]

Hey, I'm not a lawyer, so I'm a poor substitute for Chris, but let me try to answer your question about judicial remedy. As I'm sure you're aware, since you're a 2L and seem very up-to-speed on these issues, there was a ruling in the 6th Circuit case US v. Warshak, which held that it was unconstitutional for the government to compel companies to turn over the contents of customers' communications without a warrant. This was a big ruling, but the 6th Circuit is only comprised of Kentucky, Michigan, Ohio and Tennessee. We need a national solution, and that should come in the form of an update to the federal law, because other courts have proven slow to move on this issue. That means Congress should take the lead and update ECPA.

First of all, thanks for taking time to do this AMA. I'm a huge fan of all of your work, both collectively and individually.

From a consumer perspective, the third party exception to 4th Amendment privacy is particularly concerning in light of the fact that just about all my personal communications are stored with third parties. I'm helping to spearhead a lot of the privacy initiatives at my company - what are some best practices that we (or any business) can implement immediately to help mitigate the negative effects of our current outdated laws?

Fantastic question with so many good answers. Here are a few: 1. discard info you are no longer using - you can't share what you don't have. 2. resist sharing up to the legally allowable amount. Many times companies can share but don't have to. This may have the added benefit of making law enforcement ask less.

The ACLU affiliate in Northern California published a whole report on this. See: https://www.aclunc.org/blog/aclu-guide-tips-companies-protecting-user-privacy-and-free-speech-2013

I also have to snark a little. Here is what then–Secretary of State Hillary Clinton said about the issue in 2011 ““we have to make sure that human rights are as respected online as offline,”” and specifically said that the task of ensuring internet freedom was ““most urgent, of course, for those around the world . . . who are being tracked by governments.””BMftn1[1] Secretary Clinton suggested that private companies should promote human rights by asking questions such as, ““Is there something you can do to prevent governments from using your products to spy on their own citizens?,”” and ““How will you handle requests for information from security authorities when those requests come without a warrant?””BMftn2[2]

Clinton’’s statements are available here: Hillary Clinton, Secretary of State, Address at Conference on Internet Freedom (Dec. 8, 2011), http://1.usa.gov/tQffPM

It's funny - that's all we're asking them to do with ECPA reform - get a warrant.

Thanks so much! From what I've seen, "we don't want criminals using our products" is the corporate equivalent of "I have nothing to hide." What is your response to that perspective? If a law enforcement officer came to us and said "we're investigating a mass murderer who we think was using your product," why wouldn't we turn over the legally allowable amount of data?

Sure - but police investigating mass murders typically have lots of proof that they are happy to show a judge. If it's an emergency, there are exceptions in the law. It's never all or never, just have appropriate controls.

How slow is the process of change? What could be done to speed it up?

Well, it depends on what you mean by 'process of change' - I have to say, if you're talking about Congress updating the law for digital privacy, then the process has been slow. ECPA was first passed in 1986 - back when few had access to email. And yet it governs email privacy! It doesn't make sense - email was much different back then. The good news is that, although Congress has been slow to act, we finally have serious, serious momentum. A bipartisan ECPA bill passed out of the Senate Judiciary Committee. And that same bill has nearly 160 cosponsors in the House (of course, the magic number is 218 to get a majority). Members of Congress are really starting to see this as a commonsense update, and now we need the White House to get on board too!

Getting things done in Congress is often like that - it's slow until it reaches a certain point and then things happen very fast. This Congress has obviously been particularly slow!

My hope is that we can pass ECPA reform and that then serves as a bridge to the next set of issues like NSA reform.

What can I do personally to help? I live in Canada Ontario and have sent letters/E-mails to my MP against C-8 (and C-11 in the past) but that gets me nothing more then a condescending letter as a response. Even as a Canadian is there anything I can do to help Americans at the least?

Speak up, speak out. Tell your friends and family. Explain why this matters. Honestly, the more informed and aware the public is, the more stuff will change. I know that people are cynical about the process, but that cynicism only leads to apathy and no change at all. When people really are knowledgeable and vocal, things can and do change.

Letters to government officials may not feel like they're doing much but they do help in the long run (as do phone calls). It's surprising just how few phone calls can shift a debate. As a Canadian trying to influence American politics you may have less direct say, but that doesn't mean you can't influence the debate. Beyond continuing to push back against bad bills at home, talk to others about how this impacts you (especially since the US government seems to think foreigners have no privacy rights at all). Governments around the globe are beginning to realize that their citizens are upset about the US government's actions, and that will lead to increasing diplomatic pressure. Alone, that might not be enough, but enough dominoes fall and things change.

Just to add to this: Every legislative staffer I've ever spoken to says that CALLS matter most. E-mails basically get a form response and vanish into the trash three seconds after a human sees them. Letters matter maybe a little more. But calls make a difference. If a Congressional office that gets 1000 emails about an issue, the elected official may not even be aware of it—but 1000 calls and you're definitely going to get noticed.

Is this a lost fight? I don't think it should be, but how do we get others to care?

I don't think this is a lost fight! Especially in terms of ECPA reform, i.e. requiring a warrant for online communications. We have a bipartisan bill in the Senate - it was intro'ed by Senators Leahy (D) and Lee (R), and there is a bipartisan bill in the House that could easily get to over 200 cosponsors. And there are a number of state bills that have passed--including Texas, Montana, and Maine--that would add privacy protections that aren't there under ECPA. So we have momentum in the states. Of all the privacy issues before Congress, I think ECPA reform is one we could absolutely accomplish in the near future - we just need the political will from the public to push this over the edge. To that end, please sign and share this petition: http://www.digital4th.org/petition.html

what should i be most afraid of with my online privacy being violated?

The long term erosion of your rights. We all rely on privacy in ways we might not always appreciate. We take for granted that we can complain about the gov't without repercussion but it doesn't have to be that way. And for some people right now, it isn't.

Activists are harassed. Whistle blowers face serious repercussion for reporting wrongdoing - even if they are eventually vindicated. Journalists need may not be able to privately talk to their sources.

Each of us rely on those people to support a free society. Harm to them is a harm to all of us.

As an educator, I sometimes worry about what I do online in regards my own personal life and interests due to my job. Could my school system or a parent fire me or raise an issue if they were to find my social media accounts or especially some of my class blogs from college as some of them have content and language that is definitely not school appropriate?

Tough question. I'm actually going to preface it by saying that I can't give you legal advice (I don't have the time to do research and certainly don't want you to get in trouble acting on my advice). If you're really worried I would ask you union rep (assuming you have one) if they can put this to the union counsel to get a read of the laws in your state.

We have certainly seen people fired or disciplined for ridiculous reasons based on social media posts. I would advise that you do some basic things like not friend students or even reference your social media presence in class. Nor would I bring up anything else you don't want them to go home and google. Ultimately, as annoying as it is, you may consider doing a little sanitizing - especially anything drug or alcohol related.

Why do you guys believe this is such a pressing issue now, rather than over a decade ago when the laws were placed to allow them to finance their monitoring of the US population? I understand that the recent Snowden scandal has caused the issue to be given more visibility through the media that reports on it. However, wasn't the time for action when the laws were being put in place? It seems like a bit too little too late, as the infrastructure for the government to monitor the US as a whole is already set.

In addition to Mike's great list I will also note that it recently came out that for a long time the IRS wasn't getting warrants to read email. That angered a lot of folks.

Plenty of us have been pushing for ECPA reform for years. Senator Leahy has introduced ECPA reform bills multiple times in the past only to see them fail. So it's not an issue of it just being pressing now. It's been pressing for a long long time.

As for the time being "when these laws were put in place," well, ECPA was put in place in 1986 in a very different electronic world... Also I disagree with that general premise. Lots of bad laws get passed, or situations change, and laws get changed/corrected/updated.

And, while the NSA/Snowden stuff is new now, it's actually somewhat different and unrelated to ECPA reform. However, that has made more people realize just how much of their private info is available online...

What can digital security companies do to protect themselves from government intervention (vis a vis Lavabit) that effectively nullifies their technology? Does the media attention over PRISM, Snowden, NSA, SOPA, PIPA, etc mark the twilight for a new age in digital security, or should brave companies wait out the internet privacy media attention for fear of getting shuttered like lavabit? Thank you, guys!

So, one thing to do is not retain information longer than necessary. If you don't keep it, you can't be ordered to turn it over. End-to-end and open source architectures can also help: If you're running open code, the government cant demand you put in a back door (well, not one that stays hidden very long), and if the users are the only ones who have their keys and credentials, you can't be ordered to provide access. And, as Yahoo and Google and Microsoft have recently learned, you want to encrypt your data even between your own data centers if possible.

It seems disconcerting that neither political party is interested in championing online privacy rights.

Are there any politicians on either side that have been especially supportive of this cause?

Someone asked this question, and Chris and I gave an extensive list in a thread above. I think a fair number of politicians from both parties actually care about online privacy rights. In fact, it's one of the things that's interesting about this issue: It really does have bipartisan support. It's fascinating, being in Washington, so many issues are political polarizing, but not digital privacy at all.

What can you tell us about the U.S. Government's ability to access e-mails stored on e-mail servers for 6+ months?

Under ECPA, law enforcement and regulatory agencies can access emails stored for more than 180 days. Back when ECPA was passed in 1986, people didn't store emails very long on servers, because it was expensive. If it was stored for over 180 days, it was considered "abandoned." Of course, now we have nearly unlimited, free storage, and the 180 day rule makes absolutely no sense.

Honest question here. I swear I'm not a troll.

My question is, why should I care about my online privacy? I could care less if someone wants to waste their time going thru my emails or search history. I honestly have nothing to hide, so I've never cared for these posts about such things. Tell me why I should care.

If it keeps one person from dropping a bomb or selling a child into prostitution I'm all for it. I don't live near an interestingly enough life to give a hoot if someone wants to check my name out.

I was trying to find my answer from earlier but one short answer is that lots of people who you rely on to keep America vibrant and free - journalists, activists and whistle blowers. It's not just about protecting you. :)

Also you'd be amazed at the vast tools police have at their disposal that are totally constitutional - it's never all or nothing.

How can I, an average Joe, make information about myself more secure? I mean, aside from the obvious "don't go online" - I've trimmed my facebook profile the hell down and I only use the same password for three separate things, maximum. Also, what do you guys think of Mozilla (Firefox folk.)?

The Mozilla folks are great! Mozilla is actually supporting the White House petition - here's a blog post on ECPA reform they published today.

I would like to see text in the ECPA that forces organizations/businesses to disclose to you: which personal data of yours they have, how long they've had it and offer the option to permanently be erased from their database. This would allow an individual to be in control of his/her personal data. e.g. If a company only has my home mailing address, it would send me snail mail that contains the above information; if that company only had my email I would receive an email. Does this not sound reasonable? Could text/idea like this be included in a reform of the ECPA?

I think that ends up being more problematic than you might think on face. On the one hand, you have services where reputation—including potentially negative information about people—a critical part of the service provided. (Yelp, CouchSurfing, eBay, maybe some dating sites). Those might depend on people not being able to just erase negative information—there are certainly doctors and dentists who have tried to do exactly that with Yelp. More generally, the tradeoff with a lot of sites is "we're going to provide something free, in exchange for information we can use to make money via marketing or whatever." If the law means that the deal has to be "information we can use until you tell us to delete it," it may not be as viable to offer the free service. There might be specific types of businesses or sensitive information where a deletion requirement is workable, but a generic one seems likely to have unintended consequences, not to mention bumping up against potential First Amendment issues.

There are certainly lots of people that would like to see something like this in law. In fact the White House called for something very similar last year. See: http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

It's tough to do this as part of ECPA reform because that is so focused on the government right now but it's a good idea!

Is it actually possible to will back all the domestic spying that NSA/CIA is doing? Would anyone actually believe them if they say they stopped domestic spying?

Yes, it's possible. But, yes, it will take significant oversight and real reforms. It's happened before (Church Committee), and while some would argue that it didn't work since we're back to where we are now, that ignores that it made a huge difference in how the intelligence community acted, and the recent issues are more due to them embracing new technologies to get around those old restrictions.

Can you please provide a simple reason about why I, an average person who has committed no crimes and has nothing to fear, should care whether or not the government is reading my emails or my web history? I honestly believe I have nothing to fear. Could one of you try to change my mind on this?

Edit: changed 'birthday telephone call' to 'email and web history' due to thread being about electronic online privacy.

Here's something I wrote on the "nothing to hide" argument—hope you don't mind if I link it, since it's long, rather than trying to reproduce it here. The very short version is that you have to think systemically, not in terms of "what is someone going to do to me, personally, next week?" but rather "what kind of society emerges over time when we create these architectures of monitoring?" http://mashable.com/2013/06/13/julian-sanchez-nsa/

This is one of the most common refrains I hear: 'I have nothing to hide.' But challenge yourself on that: Do you really have nothing at all you want private from the government? Forget about the birthday call - there are certainly other things that you want to keep to yourself? And if not, maybe one day there will be, but the safeguards that were supposed to protect your privacy will have been eroded. Put another way: Everyone has nothing to hide… until they do. Second, it isn't always about you. Oftentimes, some of the greatest figures in our country's history, including civil rights leaders in the 60s, were the targets of troubling, undue government surveillance. When thinking about surveillance, don't just think about yourself - think of the human rights advocates and journalists and others who need to be free from undue surveillance to do the jobs that are so vital to the interest of this country.

Another thing to consider is that the gov't hasn't been shy about singling out "ordinary folks" for serious scrutiny. There is an entire "no fly" list of people (including American citizens) who are too dangerous to fly but not dangerous enough to arrest. That entire process is secret and their is no real way to get off the list. We have a lawsuit about it: https://www.aclu.org/national-security/aclu-files-lawsuit-challenging-unconstitutional-no-fly-list

So imagine the secret spying that gets you on a secret list.

Signing petitions does not work nor is it long term effective, not sure organizing the people is long term effective. IYHO getting the measure on the ballot would that be the most effective counter-measure?

It's important to remember that the petition is not the end. It's just a tool to that end - changing the law. Toward that goal we actually have bipartisan bills in both chambers of Congress. But some administrative agencies are holding them up because they want more power. We want the White House to tell them to knock it off. So it's actually a pretty strategic petition aimed at a particular goal in our larger effort.

I disagree. Not all petitions are effective, but we've seen multiples times that the WH has used the cover of a petition to suddenly endorse a position it had avoided before -- and there are strong indications that this may be true with this petition as well. Making it easy for the WH to say "the people want this" can be very helpful in tipping the balance here. By itself petitions may not do much, but they can be a useful part of a larger campaign.

Separately, organizing people absolutely can be very effective, if you get enough people actually involved.

only CISPA and SOPA. But there were much more then online petitions. people were calling their reps, online companies speaking out agianst them. Even many tech savy congresspeople were speaking out loudly against SOPA and CISPA.

More than CISPA and SOPA. Don't have a full list handy but I know it was also helpful on the phone unlocking situation -- and that was one that didn't really have much outside support.

But, yes, you need more than just only petitions and the effort here is about a LOT more than online petitions. You have bills actually in place and a lot of vocal support in Congress.

Have any of you gotten threats/blackmail from anyone, Government or otherwise, due to any of your activities?

No threats but if, hypothetically, one of my friends in the administration were to give me inside details on some of these programs I would never put it in an email. Of course that never happens but imagine if it did - would really hinder your work to not be able to communicate things electronically.

I think they know better than that. If they did, I'd be shouting it from the rooftops. The way this has worked historically, though, is that derogatory information about political opponents is leaked indirectly, in a way that is difficult to trace back to government.

There are some states writting laws to stop domestic spying on its citizens. Could these laws actually stop the NSA/CIA?

I think it's tough for states to weigh in on the NSA/CIA however there are actually a ton of things states can do, in fact they are frequently a hot bed of activity on privacy. Here's an incomplete list of some of the many issues states can regulate or be involved in: 1. location tracking 2. license plate readers 3. email privacy (state ECPA bills) 4. drone surveillance 5. employers accessing employee social media accounts

Go seek out your local ACLU affiliate (there is one in every state). They are likely to have at least one bill you can support at the state level.

What is the best way to balance freedom with security? Also, a question I ask a lot - if what the NSA is currently doing has saved one innocent American from death, is it worth it?

Well typically the gov't successes from the NSA program don't hold up to scrutiny. Here's just one example https://www.aclu.org/blog/national-security/no-nsa-poster-child-real-story-911-hijacker-khalid-al-mihdhar

I think it's very fair to be skeptical of them but ultimately we have rules for good reason - our founding fathers know that police and gov't could run amok if not contained. They crafted a very good balance that has held for two centuries.

I agree. But if has saved an innocent life, was it worth it? I think this is a tough question. If it's worth it, then we should be okay with it. If it's not worth it, we are placing more value on our principles (ideas, ethics, whatever) than the life of an innocent person we do not know.

Well, arguably we do this constantly. Could police catch one additional murderer if they could search houses without warrants? Maybe so. We think that's a price worth paying to live in a society where the police can't march into your house without a warrant.

As a non-American Graduate Student in America, do I have any reasonable expectation of privacy? Do I qualify for the First and Fourth Amendment rights? Do I have the rights against search and seizure?

In other words, what rights do I qualify for while I stay here in America?

Yes, the short answer is that the Constitution applies to you in the US. It's more complicated that that in limited circumstances but that is basically the rule.

Mark,

How effective do you believe the CDT is in informing congress about how their bills are backwards and absurd? If not, why not?

I ask because while in healthcare I visited HIMSS and AMIA conferences, and they seem to work fairly well with elected leaders.

I think we're pretty effective :) We take into consideration all perspectives when working on any issue, but at the end of the day, we are staunch defenders of a free and open Internet, and we do our best to defend digital liberties by working closely with Congress.

I preface this with a thank you. I am currently in a media law class that studies all types of laws, court cases, and events. My thank you comes in because it seems that whenever I read of an organization standing up for us it is you guys. Your organization has fought tyrannic laws for decades and done so much for everyone in this nation. You guys are like Batman but with lawyers. And hopefully parents.

Question: What is a good way for a college aged filmmaker to take action?

Man that is super nice. There sure are lots of good lawyers in the ACLU's past and I'm always proud to be part of that tradition.

In terms of getting involved I would tap your own creative vision. What do you like about American in terms of keeping things private (or sharing them). What bothers you and your friends? Then tie it to an action of some kind. Doesn't have to be the NSA, it can be a state privacy issue or part of a larger campaign like ECPA.

TL;DR plug in, care, create, act

edited for typos

I have read this stuff for years. I sign the occasional petition, and I write to my reps when bad bills like SOPA are brewing. I feel like a broken record, and like we are sitting here clicking on petitions and writing reps, and "reforming" anything in the present climate will surely mean reform in further favor of monopoly rights holders. What can we do? Beyond petitions. Mike I've read TD for like eight years. I can see the frustration in your words too..

I try to balance the frustration and optimism. :) I'm an optimist at heart and over time we do see changes and they're good changes. The fight against SOPA worked. More people engaged means more good stuff happens. It's frustrating in the short-term but can be quite good in the long term.

You can petition all you want. I've learned one immutable, universal truth about this administration: They don't give a rat's ass about what "the people" want. You could get every single person in the country who can type or hold a pen to sign that petition, and it'll get looked at, and torn into 4"x4" squares and used like they're using the Constitution. I applaud your effort and your cause....but with these people, it's a fruitless endeavor.

I see this kind of cynicism a lot and I think it's dangerous. As I've said repeatedly elsewhere, while the WH may ignore many petitions that is NOT universally true, and with coordinated campaigns they often do respond. And, in fact, on this issue there are many indications that they're looking for something like this petition to make a public statement in support of ECPA reform.

I have my problems with many of the actions of this administration too, but I think this kind of absolutely defeatist attitude, saying that they'll never so anything is really harmful. It plays into the hands of those you disagree with.

Also, it's not true that they completely ignore the will of the people. Enough people make a difference. Cynicism has its place (and I feel cynical probably more often than most), but misplace cynicism simply gives a victory to those who you disagree with most. Don't give them that simple satisfaction.

How big do you see the problem of public apathy, or lack of education about technology? It's easy to understand why police shouldn't have the right to drive by, open up your mailbox at random, and start sifting through your mail.. but it's difficult for the average joe who's not technically inclined to make sense of all the acronyms, technical terms, and confusing concepts involved with expanding technology. This problem is even worse with seniors, as many of them simply refuse to learn even basic computer skills, and ultimately in terms of privacy just throw up their hands and decide to trust the government.

Well everyone isn't able to care about everything, of course. One thing you can do is let people know that legal change is possible and does matter. Point them to the petition or an email action. Or a physical letter if they don't use the internet.

If you try to explain it and someone's eyes start to glaze over, just say "listen, do you trust me that I know what I'm talking about? Yes? Then do this!"

I know it's a short cut that doesn't actually educate people but if their rights are protected, well they can thank you later.

What advice would you give to someone who would want to make an eventual career out of protecting civil liberties, preferably without a law degree?

There are lots of ways to be involved without a law degree. I think only one of the four people in this AMA have a law degree. I don't. There are tons of writers and activists who are making a real difference, and lots of way to hook up with them -- or just build your own voice and become identified with certain issues.

Also a non-lawyer, though I will immodestly suggest that I know ECPA/FISA & Fourth Amendment law as well as plenty of lawyers. The information is out there—if you don't need to litigate and are willing to spend the time and a few bucks on books, you don't need three years torts & contracts to learn enough to be an effective advocate. Put in the time and effort to learn the issues and just start writing; if you have something interesting to say, people will notice.

Hello. First, thanks for doing this AMA.

Unfortunately, the matter of electronic surveillance without a warrant is very current in several countries, including mine.

How would you explain the fact that such initiatives are often backed up by representatives of the people themselves? Are we talking incompetence or betrayal? Maybe even something else that I fail to imagine?

Also, do you think that polite rejection from the people is enough to stem this kind of non-progress?

I think, at least here in the US, the fact that ECPA hasn't been updated is just an unfortunate fact that sometimes the status quo can get entrenched, at least when it comes to federal laws - our technologies have changed, but the laws that impact those technologies, like ECPA, don't always keep pace. But we're closer to reform than we've ever been.

The trouble with electronic surveillance is that it's generally invisible. When police march into your house with a general warrant, people tend to notice and get outraged—when they use the modern equivalent of a general warrant, even if the information is ultimately misused in some way, the people whose privacy is violated may not ever become aware of it. If, on the other hand, criminals or terrorists are captured, that can be touted as a success of the system even when police could have obtained the same information by less intrusive means. That, I think, is the basic political dynamic.

How is this a problem that we'd even be able to fix?

Simple, Congress should finally update ECPA. It's been 27 years since it passed - it's time for an update

My question is more nuanced than this: do you think they would willingly give up their ability to do this?

I realize congress isn't the one doing the spying, but I think expecting the government to give up any of its power isn't something we can count on.

There is a lot of interest in Congress (and actual bills) to reform this. Yes, law enforcement (and the IRS and SEC in particular) are against this, but don't think that just because it's all "the government" they won't move forward on this. It has a very real possibility of moving forward.

What is this bill and why do you like it?

There are a few bills to reform ECPA that we like that currently have momentum in Congress - one is in the Senate, and was intro'ed by Senators Leahy (D-VT) and Lee (R-UT); another is in the House, and was intro'ed by Reps Kevin Yoder (R-KS) and Jared Polis (D-CO). We like these bills because they would require a warrant for the government to access the content of our digital communications, just like it needs a warrant to access our postal mail.

Mark -- I'm writing my thesis on youth privacy rights, and I'm disappointed by the "eraser laws" enacted in CA and proposed elsewhere. These laws require certain web sites to delete material posted by minors upon request...as long as that data hasn't been interacted with by others. CDT rightfully points out that companies may simply respond by barring minors from using their services. Is there any way to enact rights-based protections for minors without segmenting the internet? For that matter, is it appropriate to have privacy rights that only apply to young people?

We've actually already seen something much like this: Child online privacy laws mean that many kids under 13 are nominally banned from using services like Facebook, with the result that they simply lie about their ages—sometimes with the assistance of parents—to get access. It's not clear how you can implement age-based restrictions effectively without a burdensome system of ubiquitous age-verification that raises its own privacy issues. In principle, I have no problem with saying "look, children can't meaningfully consent to provide information and the rules should be different there," but as a practical matter it seems difficult to implement that idea in ways that don't create serious secondary consequences.

Hi.

I wondered if there were any people in congress here in US who are taking the lead on this and making it their issue, and I wonder if any specific legislation has been proposed or is making the rounds online.

Do any of the participants have a model over what privacy legislation would specifically look like? It seems like we need a very specific "act" for people to get behind and support. The more I think about the issue, the more complicated writing legislation seems, even though there is probably a coalescing consensus on the basic things that need protection.

How can we get to the point where we have a specific proposal?

Patrick Leahy has legislation to fix problems with the outdated ECPA statute. A separate bill, the USA FREEDOM Act cosponsored by Leahy in the Senate and Jim Sensenbrenner in the house, addresses a range of problems with NSA surveillance.

The best way to defeat groups such as the ACLU, CDT, EFF, etc. is also very easily done: diffuse your focus. Get each group to focus on something different. Cause in-fighting over priorities. Cause frequent changes in focus to the trendy cause de jour. Weaken insidiously from all angles.

This AMA is focused on ECPA, but in so many other cases I see the above strategy working exceedingly well as witnessed by the cynicism. What efforts are going on to keep focus and unify efforts? Is there Project for the New American Century equivalent? Why, for example, is the EFF not here?

Lots of groups are working together on this and a number of other issues. EFF is heavily involved in this effort as well. Just because they're not on the AMA doesn't mean they're not active on this issue...

There is a loose coalition of different groups, organizations and individuals who are all working together on a variety of issues of importance concerning "digital" issues. I don't believe there's any lack of focus. With a loose coalition you get different ones taking the lead on different issues, and everyone else supporting where and when necessary. It's actually been fairly effective.

Hi Team!

This question goes to Mike Masnick, as I referenced you a lot in a paper I wrote for my patent law course relating to reforming patent legislation in Canada, using the US as an example of what we want to avoid (even though we aren't perfect either). I'm just curious on your thoughts of using some aspects of copyright, like independent innovation, and incorporating them in to patents? Maybe to take things further open-sourcing inventions? Similarly, do you think a "make use of" provision, defined quite narrowly, but not so narrow to hinder small inventors. And would not include law suits as making use of, would prevent NPEs from pursuing frivolous lawsuits?

Also, just a thank you to all of you who are involved in what you do. I interned for a semester at the Canadian Internet Privacy and Public Interest Clinic (CIPPIC), and really admire a lot of the work you folks do.

This is a little off-topic on the privacy focus of this AMA, but it is an AMA after all, so I'll take it (why aren't you asking me about Rampart?!?).

I'm a HUGE supporter of the independent inventor defense for patents. It's probably the single biggest concept I've pushed for. I'd actually take it a bit further than a mere independent inventor defense such that independent invention should be a sign that an invention is considered "obvious" to those skilled in the art, and therefore the underlying invention is not subject to patent protection.

Do that and I think you get rid of 80% of the problems of the patent system.

I'm less enthused about a "make use of" provision, because I can see situations where, say, it's not so easy for the inventor to make use of something and this could hinder some situations. Some have suggested a modified make use of provision where you'd just have to show some sort of effort towards putting the invention into practice... but the specifics here could matter quite a bit.

I heard your ad on my radio station just as I was returning from lunch!

It's my understanding (IANAL) that "data" belongs to whomever generated it. This is why the Feds can simply ask Google, "So yeah, those server logs...can we have a gander?" If Google says no, the feds need a search warrant for GOOGLE, not for me.

E-mail is kind of the gray area of "Well, who owns the hard drive?" since the e-mails were technically generated by someone else but it is stored digitally on a storage device.

Too be perfectly honest, I'm not sure where I stand on this issue, primarily because I have conflicting interests. Of course, I don't want Google to just willy-nilly just give away my e-mails but at the same time, I personally don't want to respond to my users asking me to sanitize my server (because, after all, it's my server; I paid for it, I develop it, etc).

What are ways around this that protect the end-user's right to privacy but also protect people like me from having to respond to user requests on my own private server?

IMHO, if I want privacy online, it's my job to do it. Encrypt my e-mails, use HTTPS everywhere (sure it doesn't stop the end server from logging my traffic but it does stop the occasional packet sniffer), hide behind 6 proxies, etc. I realize not everyone is this savvy but it seems like there isn't a way to guarantee privacy without sacrificing someone's personal liberty.

Well this is actually one of the points of the ECPA reform effort. Google and Facebook and Microsoft and lots of other companies are supporters. One of the reasons is exactly that - they don't want to be in the middle. Instead they want police to bring them a warrant. That way they don't have to deliberate, warrant = access. No warrant no access.

[deleted]

We just had a long discussion about this in a thread above. Like I said, it's one of the most common refrains we hear, and it's already popped up several times on this AMA. But check out the thread - we all weighed in with our thoughts