Privacy Statutes Need to Catch Up


On whether the Bush administration’s claim that its once-secret program of domestic eavesdropping is legal and constitutional, there will be endless debate -- in coffeehouses, courtrooms, and, it is to be hoped, in Congress.

But a public interest group’s recent lawsuit charging AT&T; Inc. with willing complicity in the program should wake us all up to how our casual reliance on new technology has turned privacy into an increasingly fragile principle.

In the federal class action filed in January in U.S. District Court in San Francisco, the Electronic Frontier Foundation alleges that AT&T; helped the government intercept the private communications of millions of Americans whose data -- phone calls, e-mails, Internet transmissions, and Lord knows what else -- happened to pass over the company’s network. (Many of the foundation’s allegations derive from newspaper reports, including articles by my colleagues Josh Meyer and Joseph Menn.)


Earlier this month, EFF filed a statement by Mark Klein, a retired AT&T; employee, describing the construction of a “secret room” at a company facility in San Francisco, purportedly so data moving over its fiber-optic lines could be split off and fed into the National Security Agency loop.

Klein’s declaration, as well as some internal documents he provided to EFF, were filed with the court under seal, but according to a version his attorneys made public last week, the room housed a “semantic traffic analyzer.” This is a machine that can thumb through digital bits looking for target patterns -- words, phrases, even routings.

Klein said he understood that similar rooms were being installed in other cities. In a statement he made earlier to one of my Times colleagues, he added, “These installations enable the government to look at every individual message on the Internet and analyze exactly what people are doing” -- whether it’s transmitting e-mail, Web surfing, what have you. AT&T; declined to discuss the case, and Klein’s lawyers say he’s not making any further statements for the moment.

It’s plain that the necessary ingredients for a surveillance program on such a scale are the will and the technology. The law no longer matters, because technology has left it in the dust.

The limits of permissible search and seizure evolved from the 4th Amendment in an era when one’s personal papers typically remained within the confines of one’s own house. Mail was transmitted under seal; over time, the rules covering the government’s access to outside-the-envelope information such as addresses became liberalized, but what was inside remained inviolate without a search warrant based on probable cause.

But sealed mail is no longer the issue in high-tech surveillance; instead, we communicate via streams of digital bits that, to the average person, still feel like a form of first-class mail. But they’re very different.


Most of today’s rules dictating the government’s rights to view personal electronic records derive, one way or another, from the federal Electronic Communications Privacy Act. This statute was enacted in 1986 largely in response to case law from the 1970s. In today’s fast-moving world, it’s a rare law that can go without regular updating, and ECPA is hopelessly superannuated.

“The law has been marching in place and, unfortunately, the technology has been marching ahead,” Deirdre Mulligan, director of the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley’s law school, told me this week.

The problem is evident if one considers how “electronic communications” were defined in 1986. As Mulligan observed in a 2004 article for the George Washington Law Review, e-mail then was a communications medium for limited business and professional communities. The first commercial online bulletin board, the WELL, had appeared in 1985 but served fewer than 2,000 members. The commercial e-mail services MCI Mail and CompuServe didn’t appear until 1989, and the World Wide Web not until 1991.

Only after online banking and shopping a la Amazon showed up in the late 1990s did Americans become acclimated to transmitting our account numbers, credit card codes, addresses and other personal details over the Web.

But then our qualms faded rapidly. Internet phone services appeared, along with network applications allowing us to store on some commercial entity’s servers a mind-boggling range of personal info -- lists of our financial assets, and journals and diaries containing our most private thoughts. Meanwhile, the websites we viewed or traded with accumulated information about our habits and routines linked to Internet addresses traceable to our very desktops.

Very few people are aware that much of this data can be snorted up by government authorities with subpoenas issued merely on the assertion that the information may be “relevant” to an investigation, and often without notice to the individual who sent it. Even fewer realize that while an e-mail kept on their own computer can’t be seized without a search warrant, the same message kept on Google or Yahoo’s mail system can be seized without one.


So we’ve become dangerously blase about what we allow other people to keep or read. Google’s Gmail service discourages subscribers from ever deleting anything -- with 3 gigabytes of storage for every user, why put anything in the trash, it asks, treating as a virtue the eternal life of a personal e-mail located somewhere in cyberspace. What Google doesn’t tell its customers is that any message left on that server, even unread, for more than six months can be accessed by the government’s prying eyes with very little legal ceremony.

The NSA’s vacuuming of terabytes of personal data from AT&T;’s network is an example of the government aggressively taking advantage of a tattered fabric of privacy protection. The Electronic Frontier Foundation says it’s convinced the feds and the company crossed the line: “AT&T; is not supposed to allow the government to engage in wiretapping without a search warrant,” says EFF attorney Kevin Bankston, who is involved in the case. “There’s no ambiguity in how electronic search statutes govern your commerce with other people.”

I wish I were as confident that matters were so clear-cut. The statutes are old and worn, and the one thing the NSA program tells us is that they need to be brought into the 21st century, fast.

Golden State appears every Monday and Thursday. You can reach Michael Hiltzik at and view his weblog at