Images de page


Proposal to protect network transactional information
that is personally identifiable or that reveals the
contents of the communication

As this memorandum will demonstrate, the scope and depth of personal, sensitive information available through network transactional records has increased dramatically since the 1986 law was passed. Thus, EFF believes that the requirements for law enforcement access to certain categories of transactional records should be increased from a mere subpoena, which can be issued without independent judicial scrutiny, to a court order, which would only be issued upon a finding by a detached and neutral magistrate. All transactional records which:

contain personally identifiable information related to an electronic
communications, or

reveal the content of the electronic communication

should be accessible to law enforcement only with a court order.

Online transactional information contains extensive personally identifiable information and thus deserves greater protection than telephone toll records


Personally identifiable information in online
transactional records

The bulk of email addresses in use today are unique to an individual user. Either the address reveals on its face the identity of the user, or a simple command can be issued to translate the address into the owner's name.

Email addresses are personally identifiable

jberman@ belongs to Jerry Berman belongs to Whitfield Diffie

Therefore, unlike telephone toll records, a transaction indicating that a message is sent to or received from a particular email address is almost always a definitive record of a communication by an identifiable person. (For a detailed description of email transactional records, see Appendix A] Whereas, toll records record only the fact that a given telephone instrument connects an another instrument, a record of an email sent or received will establish the identity of the communicating party with some certainty. Ownership of a telephone instruments may be well-established, but without access to the content of the telephone communication, there is no proof that any individual was actually using the phone coincident with a communication recorded in toll

records. In practice, courts also agree that toll records fall short of disclosing identity of the calling parties.4

Some early email systems tied the email address to a particular computer or terminal, just as a telephone number is tied to a given telephone instrument. But today, someone who owns an email address can use it from virtually any computer in the world. Moreover, no one else can easily use another person's email address, since the ability to send and receive mail with an address is generally controlled by password or other security device. While it is, in some cases, possible to use someone else's email address, this practice will increasingly be considered a fraud on the receiver of the message and a theft of service from the owner of the email account. By contrast, no fraud is required to use someone else's telephone number, unless one fails to pay the charges associated with the call.


Transactional records reveal location of sender and

Transactional information in new mobile communications services such as cellular network and Personal Communications Services (PCS) provide law enforcement with information about the location and travel of users. These services are designed in order to deliver calls and other communications to the subscriber, no matter where in the country he or she is. As a side effect of this feature, the network generates trails of transactional information that pinpoint the users location at any time that the user has the device turned on. For example, when a cellular phone is set to "roam from one territory to another, it signals the network each time it crosses into a new service area, so that calls can be delivered to that phone and so that proper billing connections are established.

Furthermore, transactional records from mobile communications services will also reveal the movement of an individual from place to place, in real time. As the target moves from one cell or service area to another, an electronic trace of the fact that a given geographical boundary line is crossed will be created. If law enforcement has access to such traces, it will be possible to determine not only the targets location, but also his or her direction of movement.

Such location specific information goes far beyond simple calling and called number information contemplated by Congress when it authorized access to transactional information without a warrant or other judicial scrutiny. Where a probable cause warrant has been issued, we do not contest law enforcement's right have access to such information, where technically feasible. However, we believe that it is contrary to the Fourth Amendment and to the policy framework

* In United States v. Anderson (542 F.2d 428, 1976), the 7th Circuit found that "toll records could not be relied on to show the contents of calls nor the parties thereto; ... identification of places called ... did not reveal the identity of the recipient or the nature of the call....

established in the 1968 Act and ECPA, to allow access to this increasingly rich source of information based on subpoena authority alone.


Online transactional records deserve a greater
degree of protection than telephone toll records

In contrast to telephone toll records, online transactional information may reveal the identity of the communicating parties, and even the precise location of the communicators. These attributes distinguish online transactional records from traditional telephone toll records and other records generally available to law enforcement under subpoena power.

Content of communication revealed by online transactional information

In many instances, addressing information from online systems will reveal the content or subject of the electronic communication. As in the example below, messages are often directed to, or received from discussion groups on particular topics.

FROM: (Danny Weitzner)

crypto policy update
DATE: July 29, 1994, 08:15:48

This week significant progress was made on the Clipper front, but
slide continues on export control liberalization...

This message would be sent to everyone who is a participant in this particular group. Discussion groups (such as eff-crypto) are similar to telephone conference calls, except that they may last for days, weeks, or years. (See Appendix A for discussion of online transactional records logs which reveal such information.)

Here again, email address records are dramatically more revealing than analogous telephone toll records. Telephone toll records might reveal the fact that the user of a particular telephone was connected to a conference call service, but would not indicate the subject of that conference. In the email example, above, the subject of the conference is embedded into the address line, along with other individual addressed. Furthermore, since the conference name is indistinguishable from an individual email address, there is no way to segregate such information out of the transactional record stream.


Freedom of association and assembly implica.ed by
disclosure of personally identifiable information

Not only does the transactional log of such a discussion group reveal the contents of the discussion, but also, the names of the parties to the discussion are disclosed in the logs. This as an excerpt from an actual email log which

records the progress of the above from the sender to all of the members of the online discussion group.

01 7/29 08:15:48 11412559: from=<d]

weit.urg., megids«> 02 ?/29 08:15:49 11112559: to='1 /usr/local/etc/cryptoarchiver' stal =Sert 03 7/29 08:15:50 11412559: to='/usr/local/etc/dmail2list eff-crypto efi-crypi rmplo, 04 7/29 08:15:51 11112565: from=owner-eff-crypto, msgid=<> 05 7/29 08:15:51 11112565: (John Gilmore), delay=00:00:01, stat=queued 06 7/29 08:15:51 T1A12565: (Mitchell Kapor), delay=00:00:01, stat=que ::41 07 7/29 08:15:51 IIA12565: (Jerry Berman), delay=00:00:01, stat-queueri 09 7/29 08:15:52 TIA12565: (Jonah Seiger), delay=00:00:01, stat-queuedi 09 7/29 08:15:51 T1A12565: (Danny Weitzner), delay=00:00:01, stat-queued

First, line 1 of the log reveals that a message was sent to the eff-crypto discussion group. Then, lines 5 through 9 reveal the identity of all of the recipients of that message, in other words, all of the participants in this particular group.

For those who associate and assemble online, these email logs are equivalent to membership lists deserving of constitutional privacy protection. Inasmuch as online transactional records reveal the identity of the parties who are engaged in the discussion, fundamental constitutional rights such as freedom of association and freedom of assembly are implicated by any disclosure to the government. Since NAACP v. Alabama ex rel. Patterson, 357 US 449 (1958), courts have agreed that threats to privacy of association constitute impermissible intrusion on First Amendment freedom of association and freedom of assembly. The NAACP case involved a challenge to a government action which would have compelled the NAACP to disclose its membership list to the State of Alabama. The Supreme Court found that:

Inviolability of privacy in group association may, in many circumstances, be indispensable to preservation of freedom of association. Id. at 462.

Inasmuch as online transactional records reveal such group association, they should be given a high level of protection from government intrusion. The transactional records of online conferences discussed above and is shown in Appendix A, clearly reveal association with particular groups.


Quantity, Detail, and Ease of Analysis of transactional records
require expanded protection

With the passage of ECPA, electronic mail messages were given the same degree of privacy protection as first class mail. Notwithstanding the analogy drawn in 1986, there are significant differences between email addressing logs and information which may be obtained under a mail cover.


Transactional logs of email contain significantly more
information than available from a mail cover

Automatic email transaction trail

Email systems create detailed transaction logs as a matter of course, whereas the postal service only keeps address logs if specifically required to do so by valid legal process. Thus, in the case of email surveillance, law enforcement may decide after the fact of a particular transmission, to seek access to transactional records.

Automatic attachment of return address information

When using US Postal Service mail, the addition of a return address which identifies the sender is entirely optional and requires an affirmative step by the sender. In contrast, most email systems automatically append a return address to each electronic mail message, thus guarantying that anyone who examines the email log, will be able to identify both the sender and recipient.

Email co-mingles functions traditionally
accomplished with voice, fax, paper mail, and even
face-to-face communications

Email communication is often a substitute for many other forms of communications. An email message can replace a fax, a voice telephone call, a short note sent through the US mail, and even face-to-face communication. Therefore access to logs of such communication is vastly more revealing than a log of any other single form of communication. Courts have recognized an increased privacy interest in co-mingled information as compared to the same information in disaggregated form.


Increased privacy interest in compilations

The volume and detailed nature of email transactions raise much more serious privacy concerns than do either toll records or mail cover logs. The Supreme Court and the US Congress have recognized that computerized compilations of information raise unique privacy concerns. Beginning with the Privacy Act of 1974, Congress has acknowledged that "computerized data banks ... present issues considerably more difficult than, and certainly very different from, a case involving the source records themselves.“5 Later, in Whalen v. Roe, the Supreme Court found that "[t]he central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information. “6 And finally, in US Department of Justice v. Reporter's Committee, the Court found that a "strong privacy interest inheres in the nondisclosure of compiled computerized information...."7 It is precisely the great volume of and

5 H.R. Rep. No. 1416, 93d Cong., 2d Sess. 3, 6-9 (1974) Legislative history of the Privacy Act of 1974.

6 429 U.S. 589, 607 (1977) (Brennan, J., concurring) 7 489 U.S. 749, 766 (1989)

« PrécédentContinuer »