prosecutors to issue a subpoena or obtain a court order or a search warrant from a judge for certain types of information. It also allows prosecutors to accept information given voluntarily by an Internet company. Even the Department of Justice described the law as "unusually complicated" in a manual for prosecutors published last year.
"Navigating through ECPA requires agents and prosecutors to apply the various classifications devised by ECPA's drafters to the facts of each case before they can figure out the proper procedure for obtaining the information sought," the manual says. The law left unclear whether a simple subpoena could obtain an IP address or if a prosecutor needed an order signed by a judge, said Cindy Cohn, attorney for the Electronic Frontier Foundation. It is a civil liberties group based in San Francisco. Cohn said the lack of clarity meant prosecutors did need a judge's order. But Justice Department spokesman Mark Corallo said the agency believed only a subpoena was necessary. The debate was resolved after the Sept.
11 attacks, when President George W. Bush signed the USA Patriot Act, giving the Justice Department new powers to fight terrorism. It provides prosecutors clear authority to obtain temporarily assigned IP addresses and other information from Internet companies through use of a subpoena.
"No check and balance"
In the Travis case, the FBI and the U.S. attorney's office in Illinois have not revealed how they obtained the information from Microsoft and WorldCom - whether by subpoena, search warrant or neither. But Microsoft said Thursday that federal prosecutors had issued a subpoena. Sobel said that given the strong link between the map sent to the Post-Dispatch and the crimes, there is little doubt that prosecutors were right to pursue the information and could easily have obtained a search warrant. Even so, he said, permitting prosecutors to obtain such information through use of a subpoena - a unilateral step that does not require the oversight of a judge - is not sufficient protection for the public. "There's no check and balance," he complained. "If law enforcement says, 'We want this information, and all we need is a subpoena,' there are not many (Internet service providers) that are going to say, 'No, you need a warrant.' There's a high level of cooperation." Corallo, the Justice Department spokesman, declined to comment on whether a subpoena sufficiently protects privacy. "The Patriot Act was passed by bipartisan majorities of the House and Senate and it is now the law of the land," he said.
The judge, Stanley Sporkin, also barred the Navy from discharging McVeigh, a highly decorated master chief petty officer. America Online also agreed to pay unspecified damages to settle a lawsuit brought by McVeigh and agreed to adopt policies aimed at protecting the privacy rights of customers. Microsoft, which critics have often accused of failing to protect customers' privacy, warns that it may have to reveal customer information to comply with the law. Its privacy policy says, in part, "Microsoft may disclose personal information if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Microsoft or the site." Tonya Klause, a Microsoft spokeswoman, said the FBI had a subpoena for the information that identified Travis. Microsoft does not sell such information or share it with business partners, Klause said. Asked how long the company retains data on an individual's use of Expedia's mapping site, Klause said in a written reply only "a very short time period.
Few legal precedents
At least part of the confusion comes from the fact that the Electronic Communications Privacy Act has not been widely tested in the courts, and there are few legal precedents, Sobel said. But one high-profile case was that of Timothy McVeigh, a sailor of no relation to the Oklahoma City bomber with the same name. McVeigh's sexual orientation was discovered when a Navy investigator asked America Online Inc. for information from McVeigh's user profile. The Navy sought to discharge McVeigh on the grounds that he had identified himself to America Online as gay. But in 1998, a federal judge in Washington said America Online had violated McVeigh's rights under the Electronic Communications Privacy Act by releasing the information without McVeigh's permission.
" WorldCom spokeswoman Sudie Nolan said, "WorldCom makes every effort to assist law enforcement agencies, but always subject to the appropriate legal processes." Nolan said WorldCom does not reveal how long it retains information identifying the IP addresses used by computer users. WorldCom does not sell the IP address information, she said. Nicolas Terry, a professor at St. Louis University School of Law, says he is less concerned about prosecutors' access to Internet data than about what Internet companies are doing with the data they collect. He said other developed countries had online privacy laws that were more stringent than those in the United States. For instance, the European Union passed a law in 1995 that permits Internet companies to use information given to them only for the purpose intended when a consumer first gives the information.
"What is to stop a Web site from collecting information about the maps we access - and anything else we do online - and selling it to other persons," Terry asked. "That is what is going on much more than catching serial killers."
Comments
Post a Comment