D.C., Maryland and Virginia candidates make the final turn and head down the home stretch toward Election Day.
Think the contents of your Gmail account are private? Think again. The scandal that brought down former CIA Director David Petraeus is shedding new light on the privacy of personal email accounts. Investigators apparently uncovered Petraeus’ extramarital affair when they traced a string of threatening emails from a Gmail account, and subsequently rooted around the inboxes of some of the most powerful people in Washington. Tech Tuesday examines the laws that govern online privacy.
- Julia Angwin Senior Technology Editor, The Wall Street Journal
- Orin Kerr Fred C. Stevenson Research Professor of Law, The George Washington University Law School
- Julian Sanchez Research Fellow, Cato Institute
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. This month, email brought down one of the most powerful men in Washington. The scandal that forced David Petraeus to resign as director of the CIA began with harassing email.
MR. KOJO NNAMDIAccording to media reports, that anonymous email was brought to the attention of the FBI which used an array of tools to follow a faint digital footprint that would ultimately indirectly lead to Petraeus, narrowing down a list of IP addresses, cross-referring it with hotel records and ultimately rooting through the inboxes of a wider circle of people outside the scope of the original investigation.
MR. KOJO NNAMDIPetraeus' extramarital affair raised all kinds of ethical and national security questions, but for many, it also served to highlight just how little privacy we really have when it comes to our digital communications. After all, if the nation's spy chief can't find privacy on the Web, how can the rest of us? Joining us to discuss this on this Tech Tuesday is Orin Kerr. He's a professor of law at George Washington University Law School. He specializes in the fields of criminal procedure and computer crime law. Orin Kerr, thank you for joining us.
PROF. ORIN KERRGlad to be here.
NNAMDIAlso with us in studio is Julian Sanchez. He is a research fellow at the Cato Institute. Julian Sanchez, thank you for joining us.
MR. JULIAN SANCHEZThank you.
NNAMDIJoining us from studios at The Wall Street Journal in New York is Julia Angwin. She is senior technology editor at The Wall Street Journal. She's edited the journal's "What They Know and Watch" series. She joins us from studios, as I said, at The Wall Street Journal. Julia, thank you for joining us.
MS. JULIA ANGWINThanks for having me.
NNAMDIYou, too, can join this conversation. If you have comments or questions, 800-433-8850 is our number. Do you think it's naive or unrealistic to expect privacy in your email box these days? 800-433-8850. Julia, for cynics in Washington, the downfall of David Petraeus seemed to have a familiar ring to it, another powerful leader brought down by an extramarital affair.
NNAMDIBut journalists and privacy advocates immediately began raising questions about the tools that were brought to bear by the FBI and their legal justifications for use of those tools. Can you set the scene for us? What do we know at this point, and what don't we know?
ANGWINThere's a lot we don't know, but there are some stuff that we know. So what we know is that there were these harassing emails and sent to Jill Kelly, and she brought them to the attention of the FBI. The very first question that is raised is: Why did they investigate these harassing emails? There is a cyber harassment statute and -- but very rarely does an FBI take a case of harassment, unless it's like threat of bodily harm or, you know, hundreds and hundreds of emails threatening her. And even then, it's not always a felony offense.
ANGWINSo the question is: What prompted this investigation legally? But we do know they took it, and they went to the origin of where did these emails come from. They looked at what's known as the IP address of the computer that sent the emails, and there's a very low legal standard for getting that data as well. And they compared that to their -- they found that those were hotels and compared that to the roster of people who stayed there, cross-referenced it and found their suspect.
ANGWINAnd then from there, it seems that they've got search warrants to get into the email boxes, the contents of the email as well. And from there, they seemed to have opened up a Pandora's Box of information implicating one and possibly two generals.
NNAMDIWell, that's all we do know. What don't we know that you think we should?
ANGWINWell, I think that one of the key questions here is actually about the first emails because opening up an investigation for harassment is, you know, something that we would want to know what was the standard to be met for that because I have to say, like, my inbox, you know, if I could open up an investigation into some of the people who email me, I certainly would, and I don't think we want a world where the threshold is so low that you can get the feds to spy on people who you don't like or who are sending you things mildly annoying.
NNAMDINote to self: Stop emailing Julia. Orin...
NNAMDIOrin, the Fourth Amendment protects against unreasonable search and seizure in the context of my car or my home or even a snail-mail letter that I receive at my home. We've got a pretty good idea of what that means, but electronic communication is a rapidly evolving field. And many people feel that law enforcement is doing things that constitute unreasonable searches. Is it too early to make that determination? What's your take on the scandal as it has unfolded thus far?
KERRIt's not too early. Just over the last five years, we've seen a few court decisions on how the Fourth Amendment applies to collecting contents of emails, collecting records like websites that somebody has visited, non-content records are not actually what they're communicating but how they're communicating. At least so far, the courts have said that the contents of communications generally are protected by the Fourth Amendment, so a warrant would be needed ordinarily to obtain access to an email account, at least according to these court decisions.
KERRBut the U.S. Supreme Court has not yet addressed this question, and there's uncertainty in some of the other courts. The way the court system works is that we'll have a court from one region of the country that would lay down the law in that region of the country, but if other courts have not addressed it yet, the rules are uncertain for investigations that are occurring in that part of the country.
KERRSo I think the answer so far is that we do have some Fourth Amendment rights online, really in the contents of communications, and those are decent protections, at least in terms of regulating when the government can get access to your account. I think where the real privacy issue has become particularly troubling is what happens when the government gets access to that account and what are the limits that govern them as they look through the 30,000 or 50,000 emails that might be in a Gmail account. And I think that's one of the really pressing problems.
NNAMDIJulian Sanchez, you argue that this is a case study in the surveillance state run amuck, a kind of high-tech fishing expedition. What do you mean?
SANCHEZWell, at every stage of this investigation, I think there are some serious troubling questions that need to be asked. First, as Julia mentioned, of course, the fact that it was opened in the first place. I mean, the cyber harassment law she talks about had maybe 10 prosecutions in the last few years. So it's very odd that the investigation was opened in the first place. The second question, the authority that was used initially unveiled Paula Broadwell as the author.
SANCHEZNow, and this is -- when you're stripping away the anonymity of an anonymous speaker, I think there are First Amendment questions to be raised there. I mean, is the country founded by anonymous pamphleteers, so the idea that it's that easy to strip away the veil of anonymity should be a cause for concern. One news outlet, Reuters, has reported that the FBI used administrative subpoenas to get that information, those IP logs, meaning they didn't even go to a U.S. attorney, get a grand jury order, but used it on their own authority.
SANCHEZI can't find any statutory authority for the FBI to issue those kinds of subpoenas in this type of investigation, so that's a puzzle. And then as Orin mentions, having identified Broadwell as the author, you would think the investigation is complete because if the crime turns out DOJ lawyers decided these emails were not criminal after all but if the crime was sending these emails, having identified the author, you'd sort of wrap up your investigation, maybe you want to confirm that those emails really were sent from that account.
SANCHEZBut past that point, you have to ask: Why did they even get to the point of reading through years' worth of archived emails to uncover thousands of emails between Broadwell and Petraeus? It's, you know, at radical odds with the kind of rules we expect to be imposed that the Supreme Court has suggested really need to be imposed when we think about something like a telephone wiretap, where they're not supposed to listen to lots of irrelevant conversations.
SANCHEZThey're supposed to record the conversations that are relevant to a crime specified in the warrant, and we don't see that kind of a protection applied to in a way the much more sensitive archives that exist in our Gmail and Web mail accounts which can be much more revealing than let's say 30 days' worth of telephone conversations.
NNAMDIWe're talking about tracing your digital footprint on the Web on this edition of Tech Tuesday and inviting your calls at 800-433-8850. I'm glad you raised the issue of anonymity. Is anonymity an unrealistic expectation in the digital environment? What do you think? 800-433-8850. Do you think the rules that govern privacy are outdated or out of step with technology?
NNAMDIYou can also send us email to email@example.com, send us a tweet, @kojoshow, using the #TechTuesday or simply go to our website, kojoshow.org, and ask a question, or make a comment there. Orin Kerr, the laws that govern what government can and cannot do with our data were written back in 1986 because there was email or smartphones or cloud computing. Tell us about the Electronic Communications Privacy Act.
KERRThe Electronic Communications Privacy Act is a law enacted, as you said, initially in 1986, and for its day, it was pretty remarkable. It was regulating email privacy at a time before people had even heard of email, but the basic idea of the law was to -- it did three different things. First, it added computer communications to the Wiretap Act to the law that makes it a crime to listen in on somebody's phone call in real time.
KERRAnd then it also added privacy protections for stored contents, like stored emails. And then finally, it added some privacy protections for monitoring non-content information for phone calls, what they called pen registers. So this law has these three different parts, and the part that a lot of people focus on today that's really become the most controversial part of this law is the part governing government access to the contents of communications online.
KERRSo it could be a document that you have stored in the cloud or emails or text messages that are held by these third-party providers. This is really the big difference between physical space investigations and network space investigations. Online, the government is often going to third-party providers. They're going to Google. They're going to Yahoo, and they're being able to get records about users from what is held by these third-party providers that are the intermediaries you use when you use the Internet.
KERRThe really controversial part of this law from 1986 is that it didn't impose a universal warrant requirement on access to the contents of communications. Instead, it had a pretty complicated framework that allowed the government to get contents of communications with less process than a warrant, probably made some sense in the 1980s when people were not using email anywhere like the way they use it today, but I think it doesn't make a lot of sense today.
NNAMDIWell, Democratic Senator Patrick Leahy of Vermont who helped write that first Electronic Communications Privacy Act back in 1986 has been working to update the protections, but there are some questions, Julian, of whether the new protections will go far enough and even if they'll end up passing anytime soon. Where do we stand?
SANCHEZSo, right, the main change that he's proposing is a uniformed warrant requirement, so at the very least, it will eliminate the crazy quilt of standards that exist now where there's a different standard for access depending on whether an email is saved in a draft folder or is traveling over the wire between two computers or is sitting there unopened or is sitting in an archive for more than six months and just say, "No, across the board, a warrant is required.
SANCHEZThat seems, to me, like just absolute commonsense. It's the direction that, as Orin notes, that the courts are already moving in, so it shouldn't, I think, be as controversial as it is, especially given the emergency exceptions for really extraordinary cases. I really actually like to see given the concerns associated with the volume of information that can be accessed, though, some of the kinds of protections that apply to telephone wiretaps.
SANCHEZAgain, the reasons that the Supreme Court has suggested additional protections are needed for phone wiretaps all apply to email. One, it's secret. The person being searched doesn't know they're being searched at the time that it happened. Two, they are extended in time, which makes it kind of like a series of searches. So over the period of 30 days, many conversations are intercepted. In both of those ways, it seems to me email is exactly analogous to telephone conversations.
SANCHEZAnd beyond content, I actually think the fact that data costs, storage costs have fallen so dramatically, I mean, you know, it probably would have cost about $1 million to buy the amount of data storage space that just comes in your ordinary smartphone at the time ECPA was written. And the result of that is that the assumptions built into ECPA aren't that huge amounts of fairly detailed transactional information about everything we do are not going to be stored indefinitely.
SANCHEZSo they weren't, for example, thinking about things like the fact that your cellphone can be used as a tracking device because the companies are just storing your cellphone tower check-in data as a matter, of course, for their own purposes.
SANCHEZI think it's actually pretty important to look at not just the contents, but whether there are categories of transactional information that might be sensitive and deserve additional protection beyond just walk in with a subpoena and get it -- stuff like location, stuff like identifying anonymous speakers, stuff like identifying your membership in controversial religious or political groups, which your email transaction logs can certainly do because maybe you're a member of a discussion list, whether or not they actually read the contents of those emails.
NNAMDIJulia Angwin, Gmail provides users with a whole lot of storage capacity to the point that we no longer need to delete emails. If we're good, we archive useful messages. But if we're lazy, they just kind of sit in our inbox. That may really be convenient for us, but it turns out that it could also be really convenient for governments and companies mining our data at a basic level. It seems like technological advances are making it cheaper to store a lot of stuff. But that may be indirectly eroding our privacy by making it easier to hold on to old stuff. Care to comment?
ANGWINYeah. That's a very good point. I mean, this is -- a lot of the privacy issues are kind of economic issues at their core. Basically, the cost of collecting data about us has become so cheap, right? So Google can collect all my emails and store them for me and it's basically very little cost for them. And then the cost to me individually appears to be zero because I'm getting a free service. But what I can't estimate as a user is what's the long-term cost to me of having -- I can't actually estimate what it means to have my emails be searchable by the government.
ANGWINUntil that happened, it seems like it's never going to happen and then all of a sudden, it does. And so I think as a society, we're all trying to figure out really what is the price for paying truly for these free services. Are we giving out more than we thought we were? And I think a lot of people will think, well, I am personally not going to be searched by the government 'cause I'm not Gen. Petraeus and this and that.
ANGWINBut it is surprising when you look at the records that Google puts out every year about how many requests they get from the government for data about their users, and every year, it's rising astronomically. And so I think that people are becoming aware that this is a risk.
NNAMDIGot to take a short break. If you have called, stay on the line. We will get to your call. It's a Tech Tuesday conversation about your digital footprint on the Web and tracing it. Our number is 800-433-8850, or you can go to our website, kojoshow.org, join the conversation there. I'm Kojo Nnamdi.
NNAMDIWelcome back. It's Tech Tuesday. We're discussing tracing your digital footprint on the Web with Orin Kerr. He is a professor of law at George Washington University Law School. He specializes in the fields of criminal procedure and computer crime law. Julia Angwin is senior technology editor at The Wall Street Journal. She has edited the journal's "What They Know and Watch" (sic) series. And Julian Sanchez is a research fellow with the Cato Institute.
NNAMDIYou can call us at 800-433-8850. You can send email to firstname.lastname@example.org. Are there some types of communication and data that you simply do not conduct online? 800-433-8850. You can send email to email@example.com. I'll go directly to the phones and talk with William in Silver Spring, Md. William, you are on the air. Go ahead, please.
WILLIAMHi, Kojo. I was calling about how this investigation got triggered on Gen. Petraeus because I read in some reports that it actually was just a (word?) conversation Jill Kelley was having with a friend who works for the FBI. And then she then took upon himself to initiate, you know, going back to, you know, do some checks on this report that she'd gotten through (word?) emails versus her launching an official kind of request for an investigation. Can your panel kind of comment on those reports? Have they heard the same thing (unintelligible) ?
ANGWINYeah, I mean, it does sound like the reporting has indicated that she brought this to the attention of a friend, although it seems as though the friend handed it to another FBI agent. But there are a lot of questions involved about why did this investigation get launched at all, considering that it's not clear that there was really a serious crime committed here.
NNAMDIThank you very much for your call, William. Orin Kerr, from a user perspective, I hear these conversations. I feel like I'm being bombarded online. I know there are private companies making a lot of money building profiles of me without my knowledge based on the sites that I visit. Now, I know that the government is also following or maybe following me around, and we're learning that the government can require those private companies to turn over data about me. Do we need new privacy laws?
KERRI think we need to update some of the privacy laws, and more than anything else, we need clarity on what the laws are. So the courts are still at an early stage of figuring out how the Fourth Amendment applies to online communications. I mentioned earlier cases saying that the Fourth Amendment requires a warrant to be obtained to access emails. A few courts have held that. If the U.S. Supreme Court had held that, it would really address a lot of the privacy concerns that we have. The Supreme Court is probably a few years away from hearing a case on that issue.
KERRSo more than anything else, the laws are still evolving and are catching up to the technology. It's a constant problem in the area of technology law. And I think there's also kind of a cultural adjustment we need to make. So we're very used to the idea of the government monitoring people in physical space. So, you know, we watch a movie, and the government, you know, the agent drop -- gets in the car and says, follow that car, and we see a police officer walking the beat or we see the government break into a house with a search warrant. We're familiar with that.
KERRWe see it on "Law and Order" and other TV shows all the time. What we're getting used to here is kind of the digital online equivalent of all that. And it's new, and it's scary. And we're not quite sure what the rules are. So it's really getting used to this new environment which is going to be with us for as long as we have computer networks. It's only going to become more and more important over time, but it's just getting used to this environment that's really part of the problem.
SANCHEZYeah. I mean, when you think about something like deer freezing in headlights, that's a hard-wired, sort of, instinctive reaction. And it shows that the experience of feeling like we are observed is baked into our DNA at a pretty fundamental level. The flipside of that, though, is that when you're sitting in your bedroom, in your home with the shades drawn, typing at a computer, you feel like you're not being observed. You don't have any of those hard-wired triggers.
SANCHEZYou don't have the kind of reciprocity that exists when you go out into public space and have a pretty good sense of whether there are other people who are capable of observing you. And so our expectations are in a kind of radical flux, especially as the technology, in a way, evolves almost faster than norms can catch up with it.
NNAMDIWell, we got this tweet from John, Julia. John writes, "Email is like sending a postcard, not a letter. Use it accordingly." So, Julia, it seems here we have a suggestion that we should change our behavior rather than the laws or technology settings. What say you?
ANGWINI mean, that is something I hear a lot. People say, you know, look, get over it. You don't have any privacy. Just assume everything is in public. And maybe that is where we'll end up. But I think that email has become such an essential tool that it would nice if we, as a society, decided that we valued the idea of having some communications that we could consider private. That's why we have postcards and letters with envelopes, right? So it would be nice if there were two categories of email.
ANGWINMaybe there's some, you know, you know that when you store it in a certain way or you conducted on a certain way that it might be more exposed. But there should be some way, I think, we, as humans, desire a way to communicate privately, and we're not always really in physical proximity of the people we want to communicate with.
NNAMDIHere is Muaz (sp?) in Hyattsville, Md. Muaz, you're on the air. Go ahead, please.
MUAZHey, thank you, Kojo, for taking my call. Well, it seems likely you answered most of my question. But meanwhile, I will think about another one. So in the absence of the law and in the absence of our choice to require like the third tamper party don't give our email to the government...
MUAZ...is there any now, I mean, in this country, a third party can give you that option like once you use your email, please destroy it, I don't want to keep a record -- give you that option? And if there is one, we want to know about it, maybe something you need to pay for extra. But maybe that will be an option for a lot of people.
NNAMDIWell, a lot of different federal courts have interpreted the law in different ways, and there are some big questions about exactly how and when government can gain access to user data on the Web. There are some big lessons. Everyone seems to be agreeing. And one of them seems to be, if you want air-tight privacy, do not use a service like Gmail or Yahoo. Why is that?
KERRWell, I think generally, it's that these providers are going to be able to access the communications -- the contents of the communications, the -- your email, which is sent to an email provider or what you send and receive online. What's actually happening is that the -- your communication is being sent to service providers. In the case of Gmail, for example, I think their servers are in California. And it's a computer file stored on a very large server there that they can then access.
KERRAt the same time, there is an important technology that we have not been talking about yet, and that is encryption. And so there are lots of free services online that will encrypt your email. An encryption basically scrambles the communication so that it can't be read by somebody who doesn't have the digital key to the communication.
KERRAnd if more and more users start to use encryption, that's a way of securing a great deal of privacy. It's not guaranteed, but it's a great deal of privacy. Even when the government has a search warrant, they may not be able to read that which they obtain. So that's a technology issue, not a legal issue, but it's tremendously important to this overall picture.
NNAMDIWell, Julia, according to reports thus far, we know that Gen. Petraeus and Paula Broadwell did take some measures to mask their identities. When they communicated with each other, they apparently used a joint email account and communicated via draft emails that were actually never sent. They also used accounts with false names. But it turns out that neither of these efforts can really mask an identity very well. What are the basic tools that exist to sort of cover your tracks? We've just heard about encryption for one.
ANGWINWell, so I think that the way you think about the Petraeus issue is that they misjudge their threat model. So they were thinking, most likely, of their spouses. And so they wanted something that their spouses wouldn't be aware of. And so they were thinking about people who would maybe have access to their other accounts but wouldn't notice this other email account and that if nothing came back and forth.
ANGWINHowever, they probably weren't -- it sounds like they weren't thinking about the FBI because if they were thinking about government surveillance, they should've masked -- the very first thing they should have done is mask their IP addresses. The IP address is the address of their computer, and that is what was first used to unmask Paula Broadwell is the IP addresses from where she had logged on to this account that they shared.
ANGWINAnd that -- there are -- there's anonymizing software out there. The best known is called Tor that will basically route your communications in a way that scrambles that IP address so that you can't see it. The other thing they probably should've done was not use stored communications. So the way the law is written right now, as Julian and Orin have described, is that items that you store are considered -- have a lower legal standard for access than a wiretap, basically, which is real-time communication.
ANGWINSo if you want to force the government to work hard to get your information, you should try to use real-time communications because they need to get a wiretap to listen in. And so, basically, best practices here would've been using an anonymizer to mask your IP address and then using probably a real-time encrypted chat mechanism. There's something called off-the-record that's probably the best standard there.
NNAMDIHere is Rod in Baltimore, Md. with a different suggestion. Rod, your turn.
RODYes, my question -- it may have been covered, but my question is using Hushmail as opposed to Gmail which encrypts the emails that are being sent or received. I would like to get an input from your panel.
NNAMDIJulian Sanchez, we also got a tweet from Colonel Panic who says, "What about hushmail.com and other services?"
SANCHEZSo I won't claim to be an expert on Hushmail specifically, although I do recall that -- I think it was either Thomas Tam (sp?) or Thomas Drake who tried to use Hushmail in their correspondence with the journalists, and they were ultimately still caught leaking, basically whistle blowing about national security abuses. And so the issue there is, as I understand it, Hushmail, still themselves, has the keys.
SANCHEZSo they can still unlock the email. They can still hand it over, have to still hand it over in response to compulsory process. If you want your email to be relatively secure, what you need is what's called end-to-end encryption, meaning only the end users and not anyone in the middle of the process actually has the keys to lock and unlock each message.
NNAMDIThank you very much for your call, Rod. Orin, one of the key distinctions here from a legal perspective is whether a law enforcement agency needs to obtain a warrant to access our records or whether they can get the information from a subpoena, which is much easier to obtain. We don't know how the FBI ended up obtaining these email messages in the Petraeus case, but why is that important?
KERRYeah, there are actually three different standards that the government can use to compel communications or records from providers. The first is the search warrant based on probable cause as described in the Fourth Amendment, and this is the same standard the government needs to get -- to break into someone's home and search for evidence inside. It's a pretty solid protection. It means the government needs to show that there's a fair likelihood that the evidence described in the application is going to be inside the place to be searched.
KERRAnd the reason why that offers pretty good protection is that is has to be limited to a particular place like a home or a particular email account. And it needs to go before a judge, and the judge needs to review the application and say, yeah, based on this description of the case and description of why they think there's evidence here, I think there is probably cause.
KERRAnd then the far opposite of that is a subpoena. A subpoena is really just an order or a request, even, to disclose records to whoever is issuing the subpoena. A judge never sees it. It's not self-enforcing. So if a provider responds to it, they could end up disclosing -- usually it's going to be non-content records -- without a judge ever being involved.
KERRAnd the government is allowed to issue a subpoena, believe it or not, not only to see if there's evidence of crime recurring, but just to make sure that there's no crime occurring. So it's almost an unregulated standard. So it makes a big difference. And then finally, there's an intermediate standard based on reasonable suspicion, sort of government has some idea but not a really solid case yet.
SANCHEZYeah, I mean, I should just highlight here that there's, I think, a problem here of unintended consequences where you have a series of cases over the course of the 20th century that start with the idea that even business records are relatively protected under the Fifth Amendment. And you see this sort of slow evolution. As we have the growth of the modern regulatory state, courts saying well, OK, look. All these regulatory agencies can't really do their jobs unless they can subpoena business records.
SANCHEZAnd so you have a series of cases saying, OK, the standard for obtaining business records is not going to be as high. We're going to treat these basically differently from private letters and communications without really anticipating the ultimate technological evolution of a situation where lots of people's personal and private communications are going to be stored as business records by a corporate entity.
SANCHEZAnd so you have the emergence of this doctrine that says, well, all of this data is not protected in the same way information in your home is, I think, again, because of a series of decisions that were responding to situations that are very different from the one in which we currently live.
NNAMDIWell, I'd like you to take -- to hear our two callers. First, I will go to Brad in Washington, D.C., and then Mike. But first, Brad, it's your turn. You're on the air. Go ahead, please.
BRADWell, I think part of what I was going to say was the caller who made the analogy to postcards versus covered letters. And, you know, my only comment is if my government wants to read my -- I'll send them the password, you know? I mean, if I'm not doing anything wrong and my emails don't say I'm going to rob the First National Bank at 3:35 p.m. next Tuesday afternoon, you know, I would rather my government spend their time doing that -- imaginary WMDs in Iraq and brining our nation to war, you know?
BRADIt they want to read it, if they're that fascinated with what's in my inbox or outbox, go right ahead.
NNAMDIOK, Brad. Thank you very much for your call. I'd like to add to your thoughts those of Mike here in Washington, D.C. Mike, your turn.
MIKEHey, Kojo. Yeah, I mean the same thing I want to say is basically if you are committing a crime, then I think it's OK for the government to find the criminals. And if you're not committing a crime, then you're OK. Anybody can look at your email. It's not only the government that we have to worry about. You have hackers also. Hackers can get your personality. Hackers can get -- commit a crime in your name. Hackers can do a lot of things. So do not commit a crime on the Internet. Thank you.
NNAMDII'm afraid this is like red meat for Julian Sanchez, but go ahead, Julian.
SANCHEZI mean, look, I think this is -- that if you have nothing to hide, you have nothing to fear argument is historically extraordinarily naive.
SANCHEZIf you look at how surveillance power was used by the FBI, the CIA, the NSA over the course of the '50s, '60s, '70s, you see that under presidents of every political party, there was the abuse of surveillance powers to gather information that was often not evidence of a crime, but could be used to embarrass or destroy the careers of someone's political enemies in much the way -- and I'm not saying that's what happened here -- but in much the way the career of Petraeus has been torpedoed now.
SANCHEZEveryone has, I think, some embarrassing secret, not necessarily evidence of a crime, but some secret. And if the people with access to that information then get to decide whose career is allowed to survive and whose is not, that's far too much power in the hands of a secretive and minimally accountable agency. I mean, the famous case here is the attempt to drive to suicide Martin Luther King using recordings mailed to him of his extramarital liaisons.
SANCHEZYou know, there's a whole big, fat Church Committee report from the '70s that's certainly not exhaustive of ways this information that they had obtained was used inappropriately to work the democratic process. And that's something, as a citizen of a democracy, you should care about, whether it's your email being read or not.
NNAMDIYour turn, Orin Kerr.
KERRYeah. I mean, the government works for us. We don't work for it. So the question is what do we want our government to be doing for us? And I think the answer is we want our government to be able to solve important crimes that protect us. And what that means is that there should be limits on the government's powers.
KERRWe wouldn't want to live in a world where the government can do anything it wants because history suggests that if the government can do anything it wants, it's going to waste its time pursuing really stupid investigations and invading privacy and pursuing personal predilections that have nothing to do with protecting the public.
KERRAnd at the same time, we wouldn't want to live in a world where people have perfect privacy, where everything they do is so protected that the government really can't protect the public. So what we're talking about here is trying to come up with a middle ground. It's a balancing effort that tries to say, OK, the government is going to have certain powers, and those are incredibly important powers, but there have to be limits on the government's powers, and those are incredibly important limits.
NNAMDIIs it important, Julian -- Julia Angwin, that in the case of David Petraeus, one of the participants had access to his schedule and therefore led to the suspicion that there might also be a threat to confidential or secure information?
ANGWINI mean, that's one of the open questions about this investigation, right? There may well have been something that caused it to rise above the level of a normal harassment case. Most harassment cases, as I've mentioned, do not get investigated very heavily, but if there was some national security concern. However, the thing about his schedule has been questioned because some of his schedule was public, and some of it was not that sensitive. So I think we're going to have to wait for the facts to emerge before we can decide whether that was really sensitive information.
NNAMDIGot to take a short break. When we come back, we'll continue our conversation on tracing your digital footprint on the Web. But you can still call us, 800-433-8850, or send email to firstname.lastname@example.org. Do you think the rules that govern privacy are outdated or out of step with technology? 800-433-8850. I'm Kojo Nnamdi.
NNAMDIIt's Tech Tuesday, and we're joined in studio by Julian Sanchez. He's a research fellow with the Cato Institute. Orin Kerr is a professor of law at George Washington University Law School. He specializes in the fields of criminal procedure and computer crime law. And Julia Angwin is senior technology editor at The Wall Street Journal. She's edited The Journal's "What They Know and Watched" (sp?) series. She joins us from studios at The Wall Street Journal in New York.
NNAMDIWe got this email from Andrew, who said, "I think it's hard for people to truly appreciate how much of their digital lives is not only available, but correlateable. The problem is not just that Gmail has your data or that Facebook has your data or Amazon.com or your grocery store or bank. In many cases, it's trivial for bad actors to have access to one or more of these data sources and can use them to assemble fairly sophisticated user profiles in ways that allow them to do bad things.
NNAMDI"I think the question is no longer whether end users should expect privacy in their digital lives. That ship has sailed. The only relevant questions for end users now is whether they will participate in digital culture at all. I've chosen to participate, but I take measures to constrain the spread of my data across the Internet, measures that are extremely inconvenient and ultimately, I expect, futile.
NNAMDI"We all live in this era of big data where there's so much information being compiled about us by private and government agencies and where there's arguably all sort of statistical inferences that can be made about me based on where I drive or what I buy. How should all that data affect the way I think about privacy?" This question is for each of you. I'll start with you, Julian.
SANCHEZYeah. I mean, part of the problem here is that it's actually almost impossible to know the significance of any individual piece of data without thinking in a way that's really difficult for normal people about all the other data that it can be combined with. In Broadwell's case, she was using an anonymous email address, maybe even accessing her accounts from a hotel instead of from her home.
SANCHEZThe problem is that she logged into her own real email account right after she had logged into her anonymous email account, and so those two were able to be connected. And that's, I should note, even if she had been using an IP masking tool like Tor, often it uses the same relay path for blocks of about 10 minutes. So even then, that might not have protected her from that kind of correlation. A lot of things that we think are anonymous can actually be very easily reidentified if you have enough other data to sort of fill in the gaps and fit together the puzzle pieces to see what matches.
NNAMDIWell, Orin Kerr, should I be thinking like Andrew here and that, you know, I take measures to constrain the spread of my data? But they're inconvenient and, I expect, futile.
KERRWell, I think it's important for all of us to become more aware of the digital trail that we're leaving behind, and this is just a process of getting used to the idea of what actually happens when you visit a website. What information might you be leaving behind? You know, what -- when you write online using a pseudonym, are you really untraceable, or how can you be traced? And these are things, which I suspect in 10 or 20 years, will become second nature to us.
KERRBut right now we're kind of -- you know, think of the first time you started to surf the Web or use a search engine. It was sort of magic. It was a black box, and it just seemed like it was, you know, super private. And then, suddenly, you kind of learned, well, wait a minute, maybe it's not that private. And we're just getting used to that, and I think it's important for us as users to just become more familiar with the technology and more aware of the tracks we're leaving behind.
NNAMDIWell, Julia, we should note that, today, Pvt. Bradley Manning is expected to appear in court. He famously leaked a huge trove of classified documents to WikiLeaks or allegedly, and he faces a hefty jail sentence if he's convicted. He also tried to mask his tracks. Where did he trip up?
ANGWINYeah. I mean, the Bradley Manning case is an object lesson for all of us, anyone who tries to protect their privacy, because he did try, and he failed. He actually used sort of the, what I was talking about before, this real-time instant messaging encrypted. And I believed he used an anonymizer. And so he'd done sort of the right things, but he forgot to turn off the logging -- chat logging features.
ANGWINSo there was records of his real-time communications stored on his computer, which revealed, you know, his discussions with the WikiLeaks folks. And so, you know, it's possible he could have been caught through other means, but that it is worth noting that, you know, the WikiLeaks culture, they had claimed, you know, unbreakable encryption.
ANGWINAnd they had, you know, people in that world really believed that if you use enough techniques -- cryptography and anonymizer, et cetera -- that can try to be fully anonymous, but it is almost impossible to do on a regular -- like certainly on a daily basis to try to maintain that level of privacy. I'm trying to do that in my -- I'm writing a book, where I'm going to try actually to protect my privacy as much as possible while living in the modern world. And it is endlessly frustrating.
NNAMDIGood luck to you.
NNAMDIHere is Julian.
SANCHEZYou know, one point to make here is that a lot of what is easy and difficult in online communications is a function of what the intermediaries that facilitate those communications have decided to make easy or difficult. So, you know, Google makes using email through a Web browser very easy. They could if they wanted to, given their kind of incredible architecture they have of user identities among other things, overnight roll out an end-to-end user-friendly encryption for their Gmail.
SANCHEZIt's not in their interest perhaps to do so, because they target their advertising by using keyword analysis of your email, if your email is easily encryptable so that their programs can't read through it. That's one less source of data for them. But they could do that if they wanted to. They could make it easy to encrypt your email. Your phone company doesn't have to store all these logs that show in detail where you've been physically 24 hours a day for years and years and years indefinitely.
SANCHEZIt just become cheap for them to do so and it's, you know, useful for them to diagnose problems with their network if they've got all that data. But, again, you know, if it were not in the financial incentive of a lot of these intermediary companies to store all this data, then it might be actually quite a lot easier to keep a lot of privacy.
NNAMDIHere is Andy in Washington, D.C. Andy, your turn.
ANDYHi. Kojo, good to be with you. Yeah, I'm really impressed by Julian -- what Julian Sanchez says -- mentioned about the FBI abuses of the '60s and the '70s long before there was any of this technology. I mean, the government really can spy on people. It can use data to destroy legitimate dissent and it --- innocence is not necessarily a defense against a malevolent government agency like, I think, the FBI at times and the CIA.
ANDYI'm a Marxist, however, and as such, it seems to me that we're not talking about private when we are a little bit talking about private corporations and, you know, private hackers. And who knows, you know, private military or paramilitary groups are also a threat. And I don't know -- it seems to me with capitalist technology evolving as quickly as it has in electronics, I don't know how we control that, but it seems to me that the government is definitely a worry. But, you know, if Citibank or Verizon or AT&T manages to control your data, is that any better?
NNAMDIWell, a Marxist and a libertarian walk into a bar. The Marxist raises a question. Let's see if the libertarian can answer it. Julian.
SANCHEZSure. Right. So, obviously, as a CATO fellow, I am not Marxist, but I don't think it's without a concern there, especially because in a lot of ways, the boundaries blur constantly. The government couldn't get access to this data if private companies weren't storing it. The Department of Justice is one of the biggest customers of data aggregators and clearing houses. So there is cause for concern there. On the other hand, Google cannot throw me in jail.
SANCHEZAnd if Google is abusing its access to information in some really malevolent way, it doesn't have nearly the same power as the federal government to prevent that from being leaked. It can't declare that its own misdeeds are a national security secret and hound any whistleblowers who would dare to alert the public to that activity. Google, you know, is still is fundamentally one company.
SANCHEZThe government can access everything that Google has and everything that every other company has with appropriate legal process. So I think there are pretty good reasons to be specifically concerned about the government even if that doesn't mean we shouldn't be vigilant about private use of information as well.
NNAMDIOrin, this is not the only or even the most controversial example of technology forcing us to rethink our constitutional protections against unreasonable search and seizure. We've recently seen several federal courts grapple with the uses of geolocation devices to monitor suspects. Tell us about the cases you're keeping your eye most closely on, in particular, one that I've been reading about in The New York Times lately.
KERRWell, there are a bunch of cases that the lower federal courts are grappling...
NNAMDIChristian Paetsch, this one, the former music teacher, the bank robber.
KERRYes. So there was one recent case involving a bank robbery in which during the bank robbery, the robber was given, unbeknownst to him, money that had a GPS device attached to it. And the government was able to figure out exactly where the money was located. And it was actually at an intersection -- stopped at an intersection. And the government then froze everybody at the intersection...
KERRTwenty cars at the intersection. They said, OK, everybody, you know, stay in your car. We're going to go car by car to try to figure out exactly who has the device. And what complicated the matter is that the government actually had a tool for locating exactly where that GPS was located, but they couldn't find it. So it took them several hours to find the device. So it was a kind of a mess from the beginning. But they were actually able to find the bank robber and find the loot with the GPS device at the intersection. And it's just one of many new legal questions.
NNAMDIBut his lawyers are claiming that the roadblock was unconstitutional so that the evidence seized should be thrown out.
KERRThat's right. Yeah. Their claim is that the roadblock is unconstitutional. You can't freeze everybody at the intersection. There's actually a line from a U.S. Supreme Court case suggesting that you can, but some case law suggesting that you can't. So it's yet another issue that the courts are going to grapple with. So for those of us that deal with the Fourth Amendment new technology, there is always new fun stuff to deal with like that.
NNAMDIWell, if we're talking about the analog world, law enforcement is allowed to examine things that are in plain sight, for example, observations they can make about me without directly intruding on my home or my car. But if we're talking about the digital world, there's so much information about me that is kind of just floating out there that is public or semi-public. Is that information considered to be in plain sight?
KERRSo the way the law traditionally works is that there is two questions. There is the law governing access to exposure of the information and then there is whether the government can use that information once it's been exposed. So the government would need some sort of authority, for example, to come across contents inside an email account. And then they can look through the email account. And what's tricky, of course, is that in looking through everything in the email account, lots of other stuff comes into plain view.
KERRSo to my mind, a real challenge here is reformulating or even eliminating this plain view exception because so much stuff online comes into plain view when the government has that authority. And it's incredibly important that the government have the authority to look for evidence online pursuant to some legal process. The tricky part is limiting what they can then use after they have that legitimate legal process.
NNAMDIAnd I'm afraid we're just about out of time. Orin Kerr is a professor of law at George Washington University Law School. He specializes in the fields of criminal procedure and computer crime law. Orin Kerr, thank you for joining us.
NNAMDIJulian Sanchez is a research fellow at the Cato Institute. Julian, obviously, this discussion is not over. I look forward to participating in another discussion along these lines with you. Thank you for joining us.
SANCHEZI look forward to it. Thank you.
NNAMDIJulia Angwin is senior technology editor at The Wall Street Journal. She has edited The Journal's "What They Know and Watched" series. She joins us from studios at The Wall Street Journal in New York. Julian Angwin, once again, good luck with the book you're working on.
ANGWINThank you so much.
NNAMDII think you'll need it. And thank you all for listening. I'm Kojo Nnamdi.
Most Recent Shows
Experts call ISIS the best-funded non-state terrorist organization the U.S. has ever confronted. We explore how ISIS fills its coffers and how the international community is trying to shut off the funding pipeline.
The Red Cross' response to Hurricane Isaac and Superstorm Sandy are in the spotlight this week after an investigation by ProPublica and NPR revealed failures by the organization in multiple areas, as well as a pattern of diverting resources for public relations purposes.
It's a chapter of D.C.'s cultural history that's the subject of on onslaught of new documentary projects: the punk movement that took root in our area during the 1980s and 1990s. But this new wave of nostalgia has provoked tough questions too: is it overkill? Where did the creative and activist energy that fueled the art go? We ponder the past and the future of punk music in the Washington area.