Update, June 27, 2014: This post has been updated. It was originally published on Dec. 4, 2012.
The government isn't allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a court order that doesn't require showing probable cause of a crime. These powers are entirely separate from the National Security Agency's collection of Americans' phone records en masse, which the House of Representatives voted to end last month.
Stuff They Can Get How They Get It What the Law Says
Who You Called, When You Called
Listening to your phone calls without a judge's warrant is illegal if you're a U.S. citizen. But police don't need a warrant — which requires showing "probable cause" of a crime — to monitor the numbers for incoming and outgoing calls in real time, as well as the duration of the calls. Instead, they can get a court to sign off on an order that only requires the data they're after is "relevant to an ongoing criminal investigation "— a lesser standard of evidence. The government can also get historical phone records with an administrative subpoena, which doesn't require a judge's approval.
Police can get phone records without a warrant thanks to a 1979 Supreme Court case, Smith v. Maryland. which found that the Constitution's Fourth Amendment protection against unreasonable search and seizure doesn't apply to a list of phone numbers. The Electronic Communications Privacy Act (ECPA) — a 1986 law that underpins much of how the government can get digital data — requires providers to allow access to real-time data with a court order and historical data with a subpoena.
Your Phone Is a Tracker
Many cell phone carriers provide authorities with a phone's location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smartphones. In response to an inquiry by Sen. Edward J. Markey, a Massachusetts Democrat, Sprint reported that it provided location data to U.S. law enforcement67,000 times in 2012. AT&T reported receiving 77,800 requests for location data in 2012. (AT&T also said that it charges $100 to start tracking a phone and $25 a day to keep tracking it.) Other carriers, including T-Mobile. U.S. Cellular and Verizon. didn't specify the number of location data requests they had received or the number of times they've provided it. Internet service providers can also provide location data that tracks users via their computer's IP address — a unique number assigned to each computer.
Courts have been divided for years on whether police need a warrant from a judge to get cell phone location data. Back in 2005, Judge Stephen W. Smith denied a government request for real-time access to location data, and some judges have followed his lead. But other courts have ruled that no warrant in necessary. Authorities only have to show that, under the ECPA, the data contains "specific and articulable facts" related to an investigation — again, a lesser standard than probable cause. Montana, Maine, Wisconsin, Utah and Colorado have passed laws requiring police to get a warrant for location data in most circumstances. (See the American Civil Liberties Union's helpful breakdown of recent laws passed.) Recent court rulings have created a patchwork of rules depending on where you live and who's requesting the data. New Jersey's Supreme Court ruled last year that police needed a warrant to get real-time location data, and Massachusetts' Supreme Judicial Court ruled in February that authorities needed a warrant to get historical location data for significant periods of time. But those decisions apply only to state authorities in those states, not federal law enforcement agencies like the FBI.
Federal appeals courts have split on whether police can get historical location data from cell carriers without a warrant. The Fifth Circuit in New Orleans ruled last year that police don't need a warrant, while the 11th Circuit in Atlanta ruled this month that they do. The rulings mean that police in the 11th Circuit — which covers Alabama, Georgia and Florida — need to get a warrant for location data, while authorities in the Fifth Circuit — Texas, Louisiana and Mississippi — don't need to do so. A similar case, U.S. v. Graham, is ongoing in the Fourth Circuit, which covers Maryland, Virginia, West Virginia North Carolina and South Carolina. "I do think there is a high likelihood that sometime in the next two to four years the Supreme Court will be taking up this issue, and probably sooner than later," said Nathan Freed Wessler, an ACLU staff attorney who argued the 11th Circuit case.
What Computers You Used
The standard for IP addresses is the same as the one for phone records: Authorities can get a court order allowing real-time access as long the court approves that the records are relevant to an investigation. They can also get historical records of IP addresses with an administrative subpoena.
Police can thank U.S. v. Forrester. a case involving two men trying to set up a drug lab in California, for the ease of access. In the 2007 case. the government successfully argued that tracking IP addresses was no different than installing a device to track every telephone number dialed by a given phone (which is legal). The FBI obtained such a court order last year authorizing it to track the IP addresses used to log into an email account reportedly belonging to Edward Snowden in real time (although Lavabit, the email provider, resisted the order).
Messages You Sent Months Ago
Here's where the rules get really complicated. Authorities need a warrant to get unopened emails that are less than 180 days old, but they can obtain opened email as well as unopened emails that are at least 180 days old with only a subpoena as long as they notify the customer whose email they've requested. The government can also get older unopened emails without notifying the customer if they get a court order that requires them to offer "specific and articulable facts showing that there are reasonable grounds to believe" the emails are "relevant and material to an ongoing criminal investigation" — a higher bar than a subpoena. How often does the government request emails? Google says it got 16,407 requests for data in total — including emails sent through
its Gmail service — from U.S. law enforcement agencies in 2012, and an additional 10,918 requests in the first half of 2013. Microsoft, with its Outlook and Hotmail email services, says it received 11,073 requests from U.S. authorities in total in 2012, and an additional 7,014 in the first half of 2013. The company provided some customer data in 75.8 percent of the 2013 requests. (The figures don't include requests for data from Skype, which Microsoft owns.) And Yahoo says it received 12,444 such requests in the first half of 2013, providing at least some customer data in 91.6 percent of them. (The Department of Justice requires providers to wait six months before releasing data on the requests.) A coalition of technology companies, including Apple, Google and AT&T, is lobbying to change the law to require a search warrant for email and other digital data stored remotely.
In U.S. v. Warshak. the U.S. Court of Appeals for the Sixth Circuit ruled in 2010 that authorities should have gotten a search warrant for the emails of Steven Warshak, a Cincinnati businessman convicted of wire fraud in which his emails were used as evidence. The decision only applies in the Sixth Circuit, which covers Michigan, Ohio, Kentucky and Tennessee, but it's had an influence beyond those states. Google, Microsoft and Yahoo have said they refuse to turn over emails without a warrant and cited the ruling. A bill introduced last year by Sens. Patrick Leahy, a Vermont Democrat, and Mike Lee, a Utah Republican, and approved by the Judiciary Committee would update the ECPA and require a warrant to get all emails. A similar bill being pushed by Reps. Kevin Yoder, a Kansas Republican, and Jared Polis, a Colorado Democrat, known as the Email Privacy Act, secured the support of a majority of the House last month. And the Justice Department, which had objected to such a change, said last year that there was "no principled basis" for giving older emails less protection than newer ones.
Drafts Are Different
Communicating through draft emails, à la David Petraeus and Paula Broadwell. seems sneaky. But drafts are actually easier for investigators to get than recently sent emails because the law treats them differently.
The ECPA distinguishes gives stored electronic data — including draft emails that were never sent — less protection under the law. Authorities need only a court order or a subpoena to get them. The bills to update the ECPA would change that by requiring a warrant to obtain email drafts, but none of them have passed yet.
As With Emails, So With Texts
Investigators need only a court order or a subpoena, not a warrant, to get text messages that are at least 180 days old from a cell provider — the same standard as emails. Many carriers charge authorities a fee to provide texts and other information. Sprint charges $30 for access to a customer's texts, according to documents obtained by the ACLU in 2012. while Verizon charges $50.
The ECPA also applies to text messages, which is why the rules are similar to those governing emails. But the ECPA doesn't apply when it comes to reading texts or accessing other data on a physical cell phone rather than getting them from a carrier. The Supreme Court ruled unanimously on Wednesday that police needed a warrant to search the phones of people who had been arrested. The court dismissed the Justice Department's argument that searching a cell phone was not materially different than searching a wallet or a purse. "That is like saying a ride on horseback is materially indistinguishable from a flight to the moon," Chief Justice John G. Roberts Jr. wrote in the opinion.
Documents, Photos, and Other Stuff Stored Online
Authorities typically need only a court order or a subpoena to get data from Google Drive, Dropbox, SkyDrive and other services that allow users to store data on servers, or "in the cloud," as it's known.
The law treats cloud data the same as draft emails — authorities don't need a warrant to get it. But files that you've shared with others — say, a collaboration using Google Docs — might require a warrant under the ECPA if it's considered "communication" rather than stored data. "It actually makes no sense for the way we communicate today," says Greg Nojeim, a senior counsel with the Center for Democracy & Technology.
The New Privacy Frontier
When it comes to sites like Facebook, Twitter and LinkedIn, the rules depend on what authorities are after. Content is treated the same way as emails — unopened content less than 180 days old requires a warrant, while opened content and content at least 180 days old does not. Authorities can get IP addresses from social networks the same way they get them from Internet service providers — with a court order showing the records are relevant to an investigation for real-time access, and with a subpoena for historical records. Twitter has reported that it received 1,494 requests for user information from U.S. authorities in 2012, and 1,735 requests in 2013. In the second half of 2013 — the most recent time period for while data is available — Twitter reported that 55 percent of the requests were from subpoenas, 7 percent through other court orders, 26 percent came through search warrants and 12 percent came through other ways. Twitter says that "non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process," except in emergencies "involving the danger of death or serious physical injury to a person." Facebook says it requires a warrant from a judge to disclose a user's "messages, photos, videos, wall posts, and location information." But it will supply basic information, such as a user's email address or the IP addresses of the computers from which someone recently accessed an account, under a subpoena.
Courts haven't issued a definitive ruling that distinguishes social media posts from other electronic communications. In 2012, a New York judge upheld a prosecutor's subpoena for information from Twitter about an Occupy Wall Street protester arrested on the Brooklyn Bridge. It was the first time a judge had allowed prosecutors to use a subpoena to get information from Twitter rather than forcing them to get a warrant. Last year, U.S. Magistrate Judge John M. Facciola in the District of Columbia modified a search warrant giving the government access to the Facebook account of Aaron Alexis, the Washington Navy Yard shooter, to limit its scope to information relevant to the investigation.