WelcomeTo My World

Friday, 12 April 2013

Can Police Read Text Messages Without a Warrant?


SURVEILLANCE SELF-DEFENCE

The SSD Project

The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.
Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?
After an introductory discussion of how you should think about making security decisions -- it's all about Risk Management -- we'll be answering those two questions for three types of data:
First, we're going to talk about the threat to the Data Stored on Your Computer posed by searches and seizures by law enforcement, as well as subpoenas demanding your records.
Second, we're going to talk about the threat to your Data on the Wire -- that is, your data as it's being transmitted -- posed by wiretapping and other real-time surveillance of your telephone and Internet communications by law enforcement.
Third, we're going to describe the information about you that is stored by third parties like your phone company and your Internet service provider, and how law enforcement officials can get it.
In each of these three sections, we're going to give you practical advice about how to protect your private data against law enforcement agents.
In a fourth section, we'll also provide some basic information about the U.S. government's expanded legal authority when it comes to Foreign Intelligence and Terrorism Investigations .
Finally, we've collected several articles about specific defensive technologies that you can use to protect your privacy, which are linked to from the other sections or can be accessed individually. So, for example, if you're only looking for information about how to securely delete your files, or how to use encryption to protect the privacy of your emails or instant messages, you can just directly visit that article.
Legal disclaimer: This guide is for informational purposes only and does not constitute legal advice. EFF's aim is to provide a general description of the legal and technical issues surrounding you or your organization's computer and communications security, and different factual situations and different legal jurisdictions will result in different answers to a number of questions. Therefore, please do not act on this legal information alone; if you have any specific legal problems, issues, or questions, seek a complete review of your situation with a lawyer licensed to practice in your jurisdiction.

Risk Management

Security Means Making Trade-Offs to Manage Risks
Security isn't having the strongest lock or the best anti-virus software -- security is about making trade-offs to manage risk, something we do in many contexts throughout the day. When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars. Your bodily safety is the asset you're trying to protect. How high is the risk of getting run over and are you in such a rush that you're willing to tolerate it, even though the threat is to your most valuable asset?
That's a security decision. Not so hard, is it? It's just the language that takes getting used to. Security professionals use four distinct but interrelated concepts when considering security decisions: assets, threats, risks and adversaries.

Assets

What You Are Protecting
An asset is something you value and want to protect. Anything of value can be an asset, but in the context of this discussion most of the assets in question are information. Examples are you or your organization's emails, instant messages, data files and web site, as well as the computers holding all of that information.
What You Are Protecting Against
A threat is something bad that can happen to an asset. Security professionals divide the various ways threats can hurt your data assets into six sub-areas that must be balanced against each other:
  • Confidentiality is keeping assets or knowledge about assets away from unauthorized parties.
  • Integrity is keeping assets undamaged and unaltered.
  • Availability is the assurance that assets are available to parties authorized to use them.
  • Consistency is when assets behave and work as expected, all the time.
  • Control is the regulation of access to assets.
  • Audit is the ability to verify that assets are secure.
Threats can be classified based on which types of security they threaten. For example, someone trying to read your email (the asset) without permission threatens its confidentiality and your control over it. If, on the other hand, an adversary wants to destroy your email or prevent you from getting it, the adversary is threatening the email's integrity and availability. Using encryption, as described later in this guide, you can protect against several of these threats. Encryption not only protects the confidentiality of your email by scrambling it into a form that only you or your intended recipient can descramble, but also allows you to audit the emails -- that is, check and see that the person claiming to be the sender is actually that person, or confirm that the email wasn't changed between the sender and you to ensure that you've maintained the email's integrity and your control over it.
Risk
The Likelihood of a Threat Actually Occuring
Risk is the likelihood that a particular threat against a particular asset will actually come to pass, and how damaged the asset would be. There is a crucial distinction between threats and risks: threats are the bad things that can happen to assets, but risk is the likelihood that specific threats will occur. For instance, there is a threat that your building will collapse, but the risk that it will really happen is far greater in San Francisco (where earthquakes are common) than in Minneapolis (where they are not).
People often over-estimate and thus over-react to the risk of unlikely threats because they are rare enough that the worst incidents are well publicized or interesting in their unusualness. Similarly, they under-estimate and under-react to more common risks. The most clichéd example is driving versus flying. Another example: when we talk to individuals about government privacy intrusions, they are often concerned about wiretapping or searches, but most people are much more at risk from less dramatic measures, like subpoenas demanding records from you or your email provider. That is why we so strongly recommend good data practices -- if it's private, don't give it to others to hold and don't store it, but if you do store it, protect it -- while also covering more unusual circumstances, like what to do when the police show up at your door or seize your laptop.
Evaluating risk is necessarily a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to be available than confidential.
In his book Beyond Fear, security expert Bruce Schneier identifies five critical questions about risk that you should ask when assessing proposed security solutions:
  • What assets are you trying to protect?
  • What are the risks to those assets?
  • How well does the security solution mitigate those risks?
  • What other risks does the security solution cause?
  • What costs and trade-offs does the security solution impose?
Security is the art of balancing the value of the asset you are trying to protect against the costs of providing protection against particular risks. Practical security requires you to realistically judge the actual risk of a threat in order to decide which security precautions may be worth using to protect an asset, and which precautions are absolutely necessary.
In this sense, protecting your security is a game of tradeoffs. Consider the lock on your front door. What kind of lock -- or locks -- should you invest in, or should you lock the door at all? The assets are invaluable -- the privacy of your home and control over the things inside. The threat level is very high -- you could be financially wiped out, and all of your most valuable and private information exposed, if someone broke in. The critical question then becomes: how serious is the risk of someone breaking in? If the risk is low, you probably won't want to invest much money in a lock; if the risk is high, you'll want to get the best locks that you can.

Adversaries

Who Poses a Threat?
A critical part of assessing risk and deciding on security solutions is knowing who or what your adversary is. An adversary, in security-speak, is any person or entity that poses a threat against an asset. Different adversaries pose different threats to different assets with different risks; different adversaries will demand different solutions.
For example, if you want to protect your house from a random burglar, your lock just needs to be better than your neighbors', or your porch better lit, so that the burglar will choose the other house. If your adversary is the government, though, money spent on a better lock than your neighbors' would be wasted -- if the government is investigating you and wants to search your house, it won't matter how well your security compares to your neighbors. You would instead be better off spending your time and money on other security measures, like encrypting your valuable information so that if it's seized, the government can't read it.
Here are some examples of the kinds of adversaries that may pose a threat to your digital privacy and security:
  • U.S. government agents that follow laws which limit their activities
  • U.S. government agents that are willing and able to operate without legal restrictions
  • Foreign governments
  • Civil litigants who have filed or intend to file a lawsuit against you
  • Companies that store or otherwise have access to your data
  • Individual employees who work for those companies
  • Hackers or organized criminals who randomly break into your computer, or the computers of companies that store your data
  • Hackers or organized criminals that specifically target your computer or the computers of the companies that store your data
  • Stalkers, private investigators or other private parties who want to eavesdrop on your communications or obtain access to your machines
This guide focuses on defending against threats from the first adversary -- government agents that follow the law -- but the information herein should also provide some help in defending against the others.

Putting it All Together

Which Threats from Which Adversaries Pose the Highest Risk to Your Assets?
Putting these concepts together, you need to evaluate which threats to your assets from which adversaries pose the most risk, and then decide how to manage the risk. Intelligently trading off risks and costs is the essence of security. How much is it worth to you to manage the risk? For example, you may recognize that government adversaries pose a threat to your webmail account, because of their ability to secretly subpoena its contents. If you consider that threat from that adversary to be a high risk, you may choose not to store your email messages with the webmail company, and instead store it on your own computer. If you consider it a low risk, you may decide to leave your email with the webmail company -- trading security for the convenience of being able to access your email from any internet-connected computer. Or, if you think it's an intermediate risk, you may leave your email with the webmail company but tolerate the inconvenience of using encryption to protect the confidentiality of your most sensitive emails. In the end, it's up to you to decide which trade-offs you are willing to make to help secure your assets.
A Few Parting Lessons
Now that we've covered the critical concepts, here are a few more basic lessons in security-think that you should consider before reading the rest of this guide:
Knowledge is Power. Good security decisions can't be made without good information. Your security tradeoffs are only as good as the information you have about the value of your assets, the severity of the threats from different adversaries to those assets, and the risk of those attacks actually happening. We're going to try to give you the knowledge you need to identify the threats to your computer and communications security that are posed by the government, and judge the risk against possible security measures.
The Weakest Link. Think about assets as components of the system in which they are used. The security of the asset depends on the strength of all the components in the system. The old adage that "a chain is only as strong as its weakest link" applies to security, too: The system as a whole is only as strong as the weakest component. For example, the best door lock is of no use if you have cheap window latches. Encrypting your email so it won't get intercepted in transit won't protect the confidentiality of that email if you store an unencrypted copy on your laptop and your laptop is stolen.
Simpler is Safer and Easier. It is generally most cost-effective and most important to protect the weakest component of the system in which an asset is used. Since the weak components are much easier to identify and understand in simple systems, you should strive to reduce the number and complexity of components in your information systems. A small number of components will also serve to reduce the number of interactions between components, which is another source of complexity, cost, and risk.
More Expensive Doesn't Mean More Secure. Don't assume that the most expensive security solution is the best, especially if it takes away resources needed elsewhere. Low-cost measures like shredding trash before leaving it on the curb can give you lots of bang for your security buck.
There is No Perfect Security -- It's Always a Trade-Off. Set security policies that are reasonable for your organization, for the risks you face, and for the implementation steps your group can and will take. A perfect security policy on paper won't work if it's too difficult to follow day-to-day.
What's Secure Today May Not Be Secure Tomorrow. It is also crucially important to continually re-evaluate the security of your assets. Just because they were secure last year or last week doesn't mean they're still secure!

Data Stored on Your Computer

Search, Seizure and Subpoenas
In this section, you'll learn about how the law protects -- or doesn't protect -- the data that you store on your own computer, and under what circumstances law enforcement agents can search or seize your computer or use a subpoena to demand that you turn over your data. You'll also learn how to protect yourself in case the government does attempt to search, seize, or subpoena your data, with a focus on learning how to minimize the data that you store and use encryption to protect what you do store.

What Can the Government Do?

Before you can think about security against the government, you need to know law enforcment's capabilities and limitations. The government has extraordinary abilities -- it's the best-funded adversary you'll ever face. But the government does have limits. It must decide whether it is cost-effective to deploy its resources against you. Further, law enforcement officers have to follow the law, and most often will try to do so, even if only because there are penalties associated with violating it. The first and most important law for our purposes is the Fourth Amendment to the United States Constitution.

The Fourth Amendment

Protecting People From Unreasonable Government Searches and Seizures
The Fourth Amendment says, "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
A seizure occurs when the government takes possession of items or detains people.
A search is any intrusion by the government into something in which one has a reasonable expectation of privacy.
Some examples of searches include: reaching into your pockets or searching through your purse; entering into your house, apartment, office, hotel room, or mobile home; and examining the contents of your backpack or luggage. Depending on the facts, eavesdropping on your conversations or wiretapping of your communications can also constitute a search and seizure under the Fourth Amendment.
The Fourth Amendment requires searches and seizures to be "reasonable", which generally means that police must get a search warrant if they want to conduct a legal search or seizure, although there are exceptions to this general rule. If a search or seizure is "unreasonable" and thus illegal, then police cannot use the evidence obtained through that search or seizure in a criminal trial. This is called the exclusionary rule and it is the primary incentive against government agents violating your Fourth Amendment rights.
A few important things to remember:
  • The Fourth Amendment protects you from unreasonable searches whether or not you are a citizen. In particular, the exclusionary rule applies to all criminal defendants, including non-citizens. However, the exclusionary rule does not apply in immigration hearings, meaning that the government may introduce evidence from an illegal search or seizure in those proceedings.
  • The Fourth Amendment applies whenever the government -- whether local, state or federal -- conducts a search or seizure. It protects you from an unreasonable search or seizure by any government official or agent, not just the police.
  • The Fourth Amendment does not protect you from privacy invasions by people other than the government, even if they later hand over what they found to the government -- unless the government directed them to search your things in the first place.
  • Your Fourth Amendment rights against unreasonable searches and seizures cannot be suspended -- even during a state of emergency or wartime -- and they have not been suspended by the USA PATRIOT Act or any other post-9/11 legislation.
  • If you are ever searched or served with any kind of government order, contact a lawyer immediately to discuss your rights. Contact a lawyer any time you are searched, threatened with a search, or served with any kind of legal papers from the government or anyone else. If you do not have a lawyer, pro bono legal organizations such as EFF are available to help you or assist in finding other lawyers who will.

Reasonable Expectation of Privacy

The Fourth Amendment only protects you against searches that violate your reasonable expectation of privacy. A reasonable expectation of privacy exists if 1) you actually expect privacy, and 2) your expectation is one that society as a whole would think is legitimate.
This rule comes from a decision by the United States Supreme Court in 1967, Katz v. United States, holding that when a person enters a telephone booth, shuts the door, and makes a call, the government can not record what that person says on the phone without a warrant. Even though the recording device was stuck to the outside of the phone booth glass and did not physically invade Katz's private space, the Supreme Court decided that when Katz shut the phone booth's door, he justifiably expected that no one would hear his conversation, and that it was this expectation -- rather than the inside of the phone booth itself -- that was protected from government intrusion by the Fourth Amendment. This idea is generally phrased as "the Fourth Amendment protects people, not places."
A big question in determining whether your expectation of privacy is "reasonable" and protected by the Fourth Amendment arises when you have "knowingly exposed" something to another person or to the public at large. Although Katz did have a reasonable expectation of privacy in the sound of his conversation, would he have had a reasonable expectation of privacy in his appearance or actions while inside the glass phone booth? Probably not.
Thus, some Supreme Court cases have held that you have no reasonable expectation of privacy in information you have "knowingly exposed" to a third party -- for example, bank records or records of telephone numbers you have dialed -- even if you intended for that third party to keep the information secret. In other words, by engaging in transactions with your bank or communicating phone numbers to your phone company for the purpose of connecting a call, you've "assumed the risk" that they will share that information with the government.
You may "knowingly expose" a lot more than you really know or intend. Most information a third party collects -- such as your insurance records, credit records, bank records, travel records, library records, phone records and even the records your grocery store keeps when you use your "loyalty" card to get discounts -- was given freely to them by you, and is probably not protected by the Fourth Amendment under current law. There may be privacy statutes that protect against the sharing of information about you -- some communications records receive special legal protection, for example -- but there is likely no constitutional protection, and it is often very easy for the government to get a hold of these third party records without your ever being notified.
Here are some more details on how the Fourth Amendment will -- or won't -- protect you in certain circumstances:
Residences. Everyone has a reasonable expectation of privacy in their home. This is not just a house as it says in the Fourth Amendment, but anywhere you live, be it an apartment, a hotel or motel room, or a mobile home.
However, even things in your home might be knowingly exposed to the public and lose their Fourth Amendment protection. For example, you have no reasonable expectation of privacy in conversations or other sounds inside your home that a person outside could hear, or odors that a passerby could smell (although the Supreme Court has held that more invasive technological means of obtaining information about the inside of your home, like thermal imaging technology to detect heat sources, is a Fourth Amendment search requiring a warrant). Similarly, if you open your house to the public for a party, a political meeting, or some other public event, police officers could walk in posing as guests and look at or listen to whatever any of the other guests could, without having to get a warrant.
Business premises. You have a reasonable expectation of privacy in your office, so long as it's not open to the public. But if there is a part of your office where the public is allowed, like a reception area in the front, and if a police officer enters that part of the office as any other member of the public is allowed to, it is not a search for the officer to look at objects in plain view or listen to conversations there. That's because you've knowingly exposed that part of your office to the public. However, if the officer does not stay in that portion of the premises that is open to the public -- if he starts opening file cabinets or tries to go to private offices in the back without an invitation -- then his conduct becomes a search requiring a search warrant.
Trash. The things you leave outside your home at the edge of your property are unprotected by the Fourth Amendment. For example, once you carry your trash out of your house or office and put it on the curb or in the dumpster for collection, you have given up any expectation of privacy in the contents of that trash. You should always keep this in mind when you are disposing of sensitive documents or anything else that you want to keep private. You may want to shred all paper documents and destroy all electronic media. You could also try to put the trash out (or unlock your trashcan) right before it's picked up, rather than leaving it out overnight without a lock.
Public places. It may sound obvious, but you have little to no privacy when you are in public. When you are in a public place -- whether walking down the sidewalk, shopping in a store, sitting in a restaurant or in the park -- your actions, movements, and conversations are knowingly exposed to the public. That means the police can follow you around in public and observe your activities, see what you are carrying or to whom you are talking, sit next to you or behind you and listen to your conversations -- all without a warrant. You cannot necessarily expect Fourth Amendment protection when you're in a public place, even if you think you are alone. Fourth Amendment challenges have been unsuccessfully brought against police officers using monitoring beepers to track a suspect's location in a public place, but it is unclear how those cases might apply to more pervasive remote monitoring, like using GPS or other cell phone location information to track a suspect's physical location.
Infiltrators and undercover agents. Public meetings of community and political organizations, just like any other public places, are not private. If the government considers you a potential criminal or terrorist threat, or even if they just have an unfounded suspicion that your organization might be up to something, undercover police or police informants could come to your public meetings and attempt to infiltrate your organization. They may even wear hidden microphones and record every word that's said. Investigators can lie about their identities and never admit that they're cops -- even if asked directly. By infiltrating your organization, the police can identify any of your supporters, learn about your plans and tactics, and could even get involved in the politics of the group and influence organizational decisions. You may want to save the open-to-the-public meetings for public education and other non-sensitive matters and only discuss sensitive matters in meetings limited to the most trusted, long-time staff and constituents.
Importantly, the threat of infiltrators exists in the virtual world as well as the physical world: for example, a police officer may pose as a online "friend" in order to access your private social network profile.
Records stored by others. As the Supreme Court has stated, "The Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed." This means that you will often have no Fourth Amendment protection in the records that others keep about you, because most information that a third party will have about you was either given freely to them by you, thus knowingly exposed, or was collected from other, public sources. It doesn't necessarily matter if you thought you were handing over the information in confidence, or if you thought the information was only going to be used for a particular purpose.
Therefore it is important to pay close attention to the kinds of information about you and your organization's activities that you reveal to third parties, and work to reduce the amount of private information you leave behind when you go about your daily business.
Opaque containers and packages. Even when you are in public, you have a reasonable expectation of privacy in the contents of any opaque (not see-through) clothes or containers. So, unless the police have a warrant or qualify for one of the warrantless search exceptions discussed below, they can't go digging in your pockets or rummaging through your bags.
Laptops, pagers, cell phones and other electronic devices are also protected. Courts have generally treated electronic devices that hold data as if they were opaque containers.
However, always keep in mind that whatever you expose to the public isn't protected. So, if you're in a coffee shop using your laptop and an FBI agent sitting at the next table sees what you are writing in an email, or if you open your backpack and the FBI agent can see what's inside, the Fourth Amendment won't protect you.
Postal mail. The mail that you send through the U.S. Postal Service is protected by the Fourth Amendment, and police have to get a warrant to open it in most cases.
If you're using the U.S. Postal Service, send your package using First Class mail or above. Postal inspectors don't need a search warrant to open discount (media) rate mail because it isn't supposed to be used for personal correspondence.
Keep in mind that although you have privacy in the contents of your mail and packages, you don't have any privacy in the "to" and "from" addresses printed on them. That means the police can ask the post office to report the name and address of every person you send mail to or receive mail from -- this is called a "mail cover" -- without getting a warrant. Mail covers are a low-tech form of "traffic analysis," which we'll discuss in the section dealing with electronic surveillance.
You don't have any privacy in what you write on a postcard, either. By not putting your correspondence in an envelope, you've knowingly exposed it, and the government can read it without a warrant.
Police at the door: Police in your home or office when it's open to the public?
The police may be able to come into your home or office if you have opened those places to the public -- but you can also ask them to leave, just as if they were any other members of the public. If they don't have a warrant, or don't qualify for any of the warrant exceptions, they have no more right to stay once you've asked them to leave than any other trespasser. However, undercover agents or officers need not announce their true identities, so asking all cops to leave the room before a meeting is not going provide any protection.  

Thank You
  Black Power Productions

No comments:

Post a Comment