Let’s Play “Spot the Authoritarian Question-Begging”

There’s a comment in the thread responding to my article about the Petraeus “scandal” and the privacy of electronic communications that perfectly captures the mentality that continues to whittle away at the Fourth Amendment:

No, [there] shouldn’t [be an expectation of privacy for government employees]. The potential for harm from abuse of electronic communications so dramatically exceeds the potential harm from abuse of written, verbal or telephone communications that different standards must apply. This is analogous to the 2nd amendment not protecting your right to own nuclear weapons (or, in my opinion, machine guns).

I can’t mail my friend every social security number of every American in an unabtrusive envelope. I can’t call up a buddy and describe the complete plans of a stealth bomber in a 15 minute phone call. I can do that with email.

The government not only has a right to monitor electronic communications of its employees, but a duty to do so. The government has enormous amounts of information about the US citizenry kept in trust. The privacy rights of 300 million Americans who are required by law to submit information to the government trump the privacy rights of individual employees who are not required by law to use electronic communications for their private correspondence.

Note the two key moves here. First of all, there’s the conflation of all “government employees” into a single class, all of whom are assumed to have access to large amounts of sensitive data. High-level officials at the IRS, the elementary school teacher, a secretary at the EPA — all pose the same potential threat to the public good and all presumptively surrender their privacy. On top of this, there’s a second key assumption — that systematic violations of privacy should be a first, not a last, resort. Any hypothetical threat to public interest should be met by the most intrusive means possible.

This logic is inconsistent with basic, fundamental privacy rights, and when done by the state is inconsistent with the values of the Fourth Amendment. Obviously, the expectation of privacy is not absolute. There may be cases where searches of email are justified. But not this kind of systematic monitoring. If there’s individualized suspicion, then the state should obtain a warrant based on probable cause. There may be some cases in which this is not workable. As the hypothetical suggests, there may be some instances where the privacy rights of government workers and the privacy rights of citizens clash. But for private emails to be searched without individualized suspicion, it needs to be a case involving a government official with access to highly sensitive information,* and — this is crucial! — there needs to be a showing that there’s no way of protecting the relevant public interests that doesn’t involve monitoring email. This is the appropriate way to proceed, not “ZOMG! If government employees retain any privacy rights in their private electronic communications there’s no way to prevent the guy who cleans the restrooms at the Parks Department from selling your Social Security number and bank information to the Russian Mob!!!!!!!!!!!!!”

And even if we leave aside the violations of privacy rights, this logic is highly dubious on its own terms. Stephen Holmes was really good on this point in The Matador’s Cape, but this also seems based on the Bush administration fallacy that more information is always better. But this isn’t actually true, because there are opportunity costs. The resources wasted, say, monitoring the emails of government employees suspected of non-marital sexytime because there’s a one-in-a-million chance that you’ll uncover an elaborate blackmail plot are resources that aren’t being used to, you know, try to solve actual crimes.

*Someone will undoubtedly note that Patraeus has exactly the kind of government position that justifies a lesser expectation of privacy. This is true, only his name should never have even come up, because as Nocera also notes today it’s overwhelmingly likely that the FBI had no legitimate justification for hacking Broadwell’s email, and at a minimum since no real Fourth Amendment standard applies we certainly can’t have the slightest confidence that there was legitimate justification.

77 comments on this post.
  1. Steve:

    I disagree.

    As a government employee (Department of the Navy) I have a government e-mail address. I know that a) the government provides the infrastructure for that address and b) (most important) anything I say there is in my position as a DON employee. I have no problem with the government monitoring those communications because I know this is a fact of my employ. Now if the government were to monitor my PERSONAL e-mail accounts because I’m a DON employee then that would be a problem.

  2. J. Otto Pohl:

    I have long assumed that nothing I send by e-mail or say on my mobile phone is truly private. This is especially true with communications sent across international borders which would be the majority of my e-mail and phone calls. I am old enough to remember when letters from communist countries arrived in the US only after months and were taped up after having been opened twice and read. The first time by their spooks and the second time by ours. On the other hand nothing I write using these methods is anything that is going to get me in trouble with the CIA. In fact it gives me great Schadenfreude to think that some poor CIA agent in Liberia is being forced to listen to me talk to my two year old daughter in a strange mix of Russian, English, Kyrgyz, and words she just made up and trying to figure out what we are saying But, the bottom line is that anything you want to be truly secret should never be trusted to any form of electronic communication ever.

  3. cafl:

    Your post conflates several issues:

    1. What email?

    2. Sent/received on what equipment?

    Most working Americans have private email account(s) and work email account(s). The purpose of work email accounts is to do the job you are paid for. The purpose of private email is to carry out your own activities and goals.

    Work email is provided through an infrastructure provided by the employer. The employer has many legitimate (and sometimes mandated) reasons to monitor, archive or delete emails sent as part of its business purposes. It also typically discloses to employees the terms of use of this email when they are hired and periodically thereafter. Employees read email on employer-provided equipment. To the extent that they use their own devices to read this mail, they often violate explicit company policy when doing so.

    Private email is provided through contractual arrangements made by individuals, read on private equipment, and is ultimately under the control of the individual. Individuals can choose the level of privacy they wish through the use of encryption, and by taking responsibility for the storage and retention of their mail.

    When persons use work computers to read private mail, use private computers to read work mail, or use work mail to discuss private matters they open the door to scrutiny of their private affairs.

    I understand that people don’t like to bother their beautiful minds by thinking about this and complying with employer policy, but I also don’t see why we should be outraged when consequences follow from irresponsibility in this regard. I don’t see it as a civil rights issue when their private affairs are revealed through misuse of employer email.

    What has not been clarified in the Petraeus matter is exactly what mail was examined by the FBI? It seems that maybe it was Kelly’s private mail (which she gave the FBI access to), then whatever account Broadwell used to communicate whatever “threats” were made, in which mail from/to Petraeus was read. Have the contents of the “threat” emails been released? Do we know whether Broadwell was using a private account? Without this information, how do you conclude that the scrutiny of the mail was illegitimate?

  4. UberMitch:

    I think we need to account for the fact that everyone has a smartphone in their pocket now. If you want to keep your communications private, whip out the iPhone. I can’t see any expectation of privacy on a computer owned by your employer, governmental or private.

  5. Aaron B.:

    I think Scott’s right, in this case. If the FBI had direct evidence of wrongdoing by Petraeus, they’d be justified in looking into his email, because he’s basically signed those rights away due to his Personnel Reliability Program induction. But that umbrella can’t reach as far as Broadwell or else it gives the government basically unlimited surveillance powers. I could even see an argument for looking into Broadwell’s email if there’s direct evidence of Petraeus and Broadwell’s having an affair. But this is clearly an instance of unjustified snooping that JUST HAPPENED to result in something bigger, and we shouldn’t give officials a free pass in those circumstances.

  6. Scott Lemieux:

    Right. The argument seems to be that an illegal search can be retroactively justified.

  7. Manta:

    Scott, do you think that if/when a court reviews the matter, it will find that what the FBI did was illegal?

  8. cafl:

    The government could have found out about the affair from either Kelly’s or Broadwell’s email, examined as a result of the so-called “threats”. This is in fact what has been stated as the way in which the affair was discovered.

    Having done so, the FBI were entitled to examine whether confidential information had been leaked by Petraeus to Broadwell, because both had prior agreements with the government through the granting of security clearances and because of their government jobs.

  9. Richard:

    My understanding, from the article in the WSJ, is that the FBI obtained Broadwell’s identity from using administrative subpoenas, which dont require judicial approval or really anything at all, and once they had her identity, along with the information acquired from Kelley’s emails which she had voluntarily provided to the FBI, went to district court and obtained a search warrant (necessarily making a showing of probable cause that a crime has been committed). If that is what happened, I believe the FBI acted appropriately and some judge approved those actions.

    I agree with Scott that the mere fact that you are a government employee shouldn’t open up all your emails to government surveillance but if the WSJ article is accurate, they didn’t do that. They got a warrant for Broadwell’s emails and, in the course of reading them, found out about the affair and appropriately reported that to the higher ups in the Army. I dont see a problem with that.

    If they examined Broadwell’s emails without a warrant, I have problems with that. I also would suggest holding off any final approval or condemnation of the FBI until all the facts are in.

  10. Richard:

    According to the WSJ, a court DID review the FBI’s actions and granted a search warrant for all of Broadwell’s emails. I dont know if that happened or not; Scott doesn’t know if it didn’t happen. But the obtaining of a search warrant for Broadwell’s emails is really crucial and is a point that Scott continues to ignore, asserting that the Broadwell-Petraeus emails were obtained as part of systematic monitoring or hacking, neither of which appears to be the case (if the WSJ article is accurate).

  11. Richard:

    I dont think so. You couldn’t find out about the Broadwell-Petraeus affiar from reading Kelley’s emails. You had to read Broadwell’s emails or Petraeus’ emails to find that out. My understanding, from the WSJ article, is that they got a warrant to look at the Broadwell emails. Those emails implicated Petraeus in an affair and they didn’t need a warrant to then read Petraeus’ emails because of his position as CIA chief (plus I am very confident that he would have signed a waiver when he was confirmed explicity waiving any right of privacy and explicitly giving law enforcement the right to read any of his electronic communications at any time and under any circumstances)

  12. Richard:

    The exact content of all of the threats hasn’t been realized but it appears they were sort of creepy but not illegal. From reading a bunch of the news reports, it appears that Kelly’s email was on a private account (she wasn’t a government employee after all) and the same for Broadwell (again, she wasn’t a government employee). It appears that the FBI read private and public emails of Petraeus and that Petraeus and Broadwell set up separate private accounts for their affair related emails using a tactic which they thought would evade notice, presumably from their spouses (each had the passcode to each other’s accounts, messages were left in the “draft” file and, once read, then deleted so no email was ever sent. Of course, deleting the draft didn’t actually get rid of it).

  13. greylocks:

    Courts routinely issue unjustified search warrants, often because the police lie about having probably cause, or because the judge is just an idiot. If a warrant was indeed obtained, that process needs to be scrutinized and re-evaluated as well.

    Just because a judge says it’s okay doesn’t make it okay, and arguing otherwise is precisely the sort of authoritarianism that Scott is railing against.

  14. Rick Santorum's Leaky Faucet:

    I think it’s made abundantly clear to government employees that they have no expectation of privacy at work/on government computers. Here, personal emails were bundled within work related emails anyway.

    No reasonable expectation of privacy = no search = no Fourth Amendment violation

  15. Aaron B.:

    If true – and I haven’t been able to confirm it – it does insulate the FBI from charges of extra-legal behavior. But it can still reflect poorly on the process as a whole.

  16. Incontinentia Buttocks:

    Actually, everybody doesn’t have a smartphone. I certainly don’t.

  17. Aaron B.:

    I think the search of Broadwell, not Petraeus, is the surveillance issue here.

  18. Richard:

    Of course, the judge can be wrong or he could have based his decision on false statements in the FBI affidavit in support. We don’t know yet if that happened (and certainly, not having seen the affidavit, no one is in a position to claim that the FBI lied.

    But it appears, if the WSJ is accurate, that the FBI went through the appropriate procedural hurdles. They got a judge to look at the evidence they produced.

    I’m not arguing that just because a judge says its okay makes it okay. I’m saying that based on the facts I’ve seen, which I’ve laid out in numerous posts by now, it appears to me that the FBI acted appropriately and its actions are not authoritarian.

  19. Richard:

    I dont think it reflects poorly until we see what was in the affidavit that was presented to the judge (and assuming, of course, that the WSJ was correct in stating than an affidavit was obtained).

    It just seems to me that, based on the articles I’ve read, its way too early to assert that the FBI acted wrongly.

  20. Richard:

    Thats the way I see it. The FBI had to have reason, and a warrant, to search Broadwell’s email. Once they did that, and there was evidence of emails from Broadwell to Petraeus, and evidence that they were trying to hide those emails, the FBI, under current law, had the authority to read the emails of the head of the CIA. I have no problem with that at all. It would be a different situation if a search of Broadwell’s email revealed that she was having an affair with a Post Office employee and the FBI, without warrant, then read all the emails of that employee.

  21. Richard:

    That is the current law. I think Scott is arguing that this shouldn’t be the law, that the mere fact of being a government employee should not mean that you lose any right of privacy in your private emails. I would agree with that. Its just that the Petraeus matter seems to be a very poor set of facts to make that argument.

  22. John:

    Do you have a reasonable expectation of privacy when you email the CIA director?

  23. Richard:

    Not “realized”. It should say “released”

  24. joe from Lowell:

    I don’t usually comment on legal threads; I can barely follow them sometimes. Forgive me if this is a stupid question, but Scott wrote:

    But for private emails to be searched without individualized suspicion…

    What does “private emails” mean here?

    Were they searching emails that Patreaus or Broadwell sent through their own computers and private email accounts, as opposed to work computers or .mil accounts? This seems like it would be a meaningful legal issue.

    Does “private” mean “talks about the sexytime?” Or is it the status of the recipient as a “work contact” or a “personal contact?” How are the agents looking at a work email supposed to know which ones they can open? Are they supposed to tell from the subject field?

    How is Scott using it here?

  25. joe from Lowell:

    the mere fact of being a government employee should not mean that you lose any right of privacy in your private emails

    What do you mean by “private emails” here? Is it content-based, recipient-based, location-based, or what?

  26. peorgietirebiter:

    I’ve long thought that the current political climate enables the abuse of our privacy but also poses a real threat to national security. Just as even, a smart, dedicated judge would be loathe to deny the FBI a warrant on the thinnest pretense given the downside for being blamed for a body count; politicians, especially the president are almost forced into Cheney’s 1% stupidity. It’s no longer safe to be smart about security because no risk would be treated as reasonable or rational if something went south.

  27. T. Paine:

    And considering that Verizon and AT&T have given the NSA access to their central servers, the “use the iPhone!” argument is a little unrealistic. But I’m sure that the FBI would never get that kind of access if they asked for it!

  28. laura:

    Your posts are very clarifying, but I don’t think Scott is arguing that the FBI acted illegally; he’s arguing that the legal procedure as currently set out isn’t consistent with the 4th Amendment.

    I agree we don’t have all the facts (in particular none of Broadwell’s emails have actually been leaked and if she was indeed anonymously badmouthing Kelley by email to various people including Kelley I wouldn’t have much sympathy for her expectation of not being traced) but it does look to me like Kelley’s friend had an alarming amount of latitude in making decisions about how hard to push the investigation at Kelley’s behest (i.e. the decision to make the initial trace at least). If the FBI responds differently to complaints from “insiders” like Kelley than for outsiders, that leaves a lot of room for abuse.

  29. Aaron B.:

    Yes? Should my having emailed the CIA director mean my entire email can be searched based on suspicion alone? (Of course, if it turns out they did have a warrant, this isn’t relevant, legally speaking)

  30. T. Paine:

    I think in this instance it means “a personal Gmail account, as opposed to an email address issued by the government/employer.”

  31. Richard:

    What I mean is location/server based. If you have a private gmail account, for example, which you only use at home, then I dont believe the government should have the right to routinely access it and search through it to see if you might be doing something wrong. (If there is evidence you are doing something illegal, the government can get a warrant)

    I think a different rule should apply to the head of the CIA.

    And, of course, if you send an email to someone else, the recipient can disclose the email to the FBI or anyone else (whether you are a government employee or not). And if you send an email to the head of the CIA, there should be no right of privacy there.

  32. Richard:

    Correct. Its my understanding that Broadwell was not a government employee so her emails were sent through “private” accounts. And Petraeus had both government and private email accounts but appears to have drafted/sent the sexytime emails on his private gmail account.

  33. DocAmazing:

    Given the existence of things like CARNIVORE and ECHELON, privacy is kind of a moot point from a practical point of view. That’s not to say it’s not worth fighting for, but spooks are numerous and busy and have been for many, many years.

  34. Aaron B.:

    So this is true of Petraeus’ mom’s Christmas emails – and not only that, but her entire account?

  35. Richard:

    By sending an email to the director of the CIA, you give up any expectation of privacy in that email but it shouldn’t open up any of your other emails to government inspection (or allow the governmemnt to search your computer, absent a warrant, to see if there are any other communications to the director).

  36. joe from Lowell:

    Not your “entire email,” but you have to figure that the entirety of your correspondence history with the CIA would be looked at. At a minimum, they’re going to read both sides of any email reply chains, and if they find anything that looks like CIA business, your email with the CIA is going to get looked at some more.

  37. Richard:

    No, I didn’t mean that. I meant that emails to Petraeus, even from his mom, can be read by the government. They have a right either from Petraeus’ unique position or from explicit authorizations which he signed, to read any mail sent to him. But they should have no right to read any other emails authored or received by his mom.

  38. joe from Lowell:

    As I understand it, those programs work by having computers search for certain pre-programmed strings of data – could be a name used a certain way, could be a schematic of the secret space shuttle (shh) – and if they get a match, they alert somebody who looks at them. Correct me if I’m wrong about the basic architecture.

    I would be comfortable, under that system, with this: the computer puts all of the hits into a secure location, and the NSA periodically gets a warrant to read what’s on that memory card. The court maintains oversight of how the programs are being run, what they are looking at in the hit bin, and what they are doing with the information, as part of each warrant they issue. The NSA reports on these things in each warrant application, and the judge has the authority to deny the warrant if it isn’t being run on the up-and-up.

  39. Richard:

    My argument with Scott is that, based on the information I’ve seen, I think the legal procedures in place in this case ARE consistent with the 4th Amendment.

    With regard to selective prosecution, that is always subject to abuse. Here it appears that the friend (the FBI agent who appears to have had the hots for Kelley) initially referred the complaint to the appropriate unit of the FBI concerned with cyberstalking but then inappropriately pushed that unit to take action and when they didn’t, went to the Republican house leadership. My understanding is that this friend had no active part in the investigation since he’s not a computer guy and was eventually told to stay out of the case altogether. Its unclear whether the FBI unit would have taken the actions they did without his prodding but I dont discount the very real possibility that the cybercrime unit would not have taken the step of seeking the identity of the sender of anonymous emails if not for the fact that this guy was prodding them. But the possibility of a over eager FBI agent prodding his friends/co-workers to take action happens in all sorts of cases, not just the somewhat unique situation found here and not just in email cases.

  40. DocAmazing:

    Great idea, if there were some way to assure that no abuse were going on. Unfortunately, someone squeaking “National security! National security!” is all that’s been necessary to shut down oversight, in the past few decades.

  41. joe from Lowell:

    Great idea, if there were some way to assure that no abuse were going on.

    The way we try to “assure” that no abuse is going on, in the American legal system, is to give courts review of the executive’s actions. Are you making some technical point about it being impossible for court supervision to know what information is being looked at?

    Unfortunately, someone squeaking “National security! National security!” is all that’s been necessary to shut down oversight, in the past few decades.

    That seems to be more of a point about why court oversight would be unlikely to be set up, rather than why a court oversight system would not be a good idea.

  42. owlbear1:

    From what I’ve read Petraeus and Broadwell had access to a google email account where they would draft messages to each other without actually sending anything.

  43. cafl:

    I agree with your conclusions throughout the thread and thank you for adding to my understanding of what occurred. However, I don’t think one can know whether Kelly’s mails received from Broadwell did or didn’t reveal or strongly suggest the existence of the affair with Petraeus without seeing them. Perhaps you know they did not because of your close reading of the news accounts.

  44. owlbear1:

    Any email you send will leave behind copies of itself (or a least a record of its passage) on at least half a dozen computers. This doesn’t include the 7 or 8 routers it passes through along the way.

    Every phone call you make that goes to a central office is converted into a VOIP single and again leaves a record of its passage.

  45. cafl:

    This is why I think anyone who is actually concerned with the privacy of a mail item should look into a mail encryption solution. Similarly, there is VOIP software that encrypts calls. If you don’t trust the mechanisms of the legal system, you can take control of this yourself.

  46. laura:

    True, but I think the fact that abuse can happen provides some justification for the idea that even in the lesser matter of tracing emails (as opposed to reading unrelated emails), there should be some sort of legal oversight.

    Also, as I understand it, the Republican leadership wasn’t notified until long after the affair between Petreaus and Broadwell had been confirmed and after Eric Holder had been notified about the results of the investigation. If that’s the case, whatever motive Fred Humphries (assuming it was him) had for telling Cantor it wasn’t to push the investigation forward.

  47. Richard:

    From my reading, there was no mention at all of Petreaus’ name in the Broadwell to Kelley emails. Instead, the emails were of the nature of “I know what your’e doing, stay away from my man” without specifying who the man was. But that is far from definitive knowledge. Its possible that there was more from which you could infer an affair between Broadwell and Petraeus.

  48. M. Bouffant:

    Isn’t the primary issue here that Broadwell’s e-mails to Kelley really weren’t threatening (just rude/mean*, at least as far I’ve heard) & there really was no reason to look further at them, let alone pore through all her e-mail.

    *Actually, described as “bitchy” or “a catfight” by whichever anonymous but enlightened jerk shared w/ the media.

  49. heckblazer:

    Saying that people should carefully to segregate their work and their personal communications sounds nice, but that’s not how people in the real world act. Someone might send an email about the report they’re working on and also ask about the recipient’s kids, or ask them out for coffee, for example. That this happens is recognized by FOIA, so when someone makes a FOIA request that includes emails someone has to sit down and review them and excise any personal stuff.

  50. Richard:

    But we dont know that Humphries was informed of the results of the investigation. My understanding was that Humphries thought that no progress was being made in the investigation which is why he went to Cantor. But then again, I dont think anyone knows all the facts yet and, since it is likely that there will be no criminal charges and therefore no one to complain about the investigation, we may never know

  51. Richard:

    If thats the case – some mean emails with vaguely threatening language by not legally actionable – I would agree that the FBI should not have sought to learn Broadwell’s identity. And if some mean emails were all the FBI had, they wouldn’t have had enough to go to a judge and get a search warrant.

    But it has been reported that the emails also had “not public” information about the activities of Petraeus or other generals and that led to a suspicion that the email sender had private information regarding senior government officials and was disclosing that information. If that is the case, I dont see a problem with the FBI seeking to find out the identity of the sender (since you have, at the most, a limited privacy interest in remaining anonymous)

  52. Murc:

    This is another way of saying “I am comfortable with having the government root through all of my communications all of the time.”

    And that’s nice for you, but I certainly am not comfortable with it. I expect my private communications to remain inviolatedabsent probable cause, and looking at them for “certain pre-programmed strings of data” requires, you know, looking at them.

    I don’t give a fuck if my communications go into some bin and a spook takes a look at it and sees I’m doing scholarly research on radical Islam and not, in fact, planning to blow up a building. They should need to have cause to believe I’m going to do something illegal before they even BEGIN to filter my communications looking for something incriminating.

  53. joe from Lowell:

    This is another way of saying “I am comfortable with having the government root through all of my communications all of the time.”

    Ah, is that what a system of court orders and reviews suggests to you? Comfort with constant rooting?

    Do you think including both of the “alls” in that sentence is a little dramatic?

    looking at them for “certain pre-programmed strings of data” requires, you know, looking at them.

    Are we talking about people or machines here? Your over-the-top-ed-ness is interfering with the precision of your point maybe a little.

    I’m doing scholarly research on radical Islam and not, in fact, planning to blow up a building.

    You’ve just written your whole little story here, haven’t you?

  54. M. Bouffant:

    Ah. That’s different, then. Not that I have anything better to do w/ my time, but I wasn’t aware that the movements of the generals had been in whatever was first brought to the FBI’s attention.

  55. Njorl:

    *Someone will undoubtedly note that Patraeus has exactly the kind of government position that justifies a lesser expectation of privacy.

    Between choosing to add this footnote, or choosing not to write this post, the latter would have been better.

  56. Njorl:

    From what I’ve heard, no emails were actually sent between Patraes and Broadwell. They shared a Gmail account. They would write and save drafts without sending them, then the other would read them and delete them.

    I don’t know what justification was used to get at cached copies of those deleted drafts, but it has nothing at all to do with the government having a right to monitor employees’ emails.

  57. Njorl:

    There was a movie in which a radical who knew he was being spied upon would write letters to his watcher and mail them to himself. Eventually one came back with “Why are you doing this to me? I’m just trying to do my job!”, scrawled on it.

  58. Njorl:

    …which you knew already …

    Nevermind.

  59. Murc:

    Ah, is that what a system of court orders and reviews suggests to you? Comfort with constant rooting?

    Do these court orders and reviews take place before or after a system has already examined my communications?

    If the answer is ‘before’ then, yes, without being one bit hyperbolic, that suggests comfort with constant rooting. You might as well say you’re comfortable with the authorities slitting open all your mail, scanning it, then having a computer search it for “certain pre-programmed strings of data.”

    But let me be even more blunt. I think the government should have to get probably cause before even looking in the direction of my private communications, and this includes using machines to do their looking for them. Agree or disagree?

    Are we talking about people or machines here? Your over-the-top-ed-ness is interfering with the precision of your point maybe a little.

    … what the hell is the difference?

    I have an equal problem with a computer rooting through my communications looking for certain criteria as I do a with a human being doing the same thing.

  60. Richard:

    I don’t think that’s correct. I would guess that, as a condition of accepting the post as director of the CIA, Petraeus explicitly and in writing waived any privacy rights he may have had in any email account, public or private, and that the waiver extended to cached drafts of emails as well as sent emails

  61. Murc:

    And of course, ‘if the answer is ‘before” I clearly meant ‘if the answer is ‘after”.

    Because, you know, the day just isn’t complete without a linguistic fuck-up on my part.

  62. IM:

    represent!

  63. joe from Lowell:

    You might as well say you’re comfortable with the authorities slitting open all your mail, scanning it, then having a computer search it for “certain pre-programmed strings of data.”

    Incorrect. That would involve people – people with the authority to take enforcement action – reading and understanding the contents, as opposed to machines making records about matching strings of 1s and 0s.

    If you want to make the case that there is no difference between the two, I’m all ears, but this huffy question begging isn’t a substitute for a rational argument.

    I think the government should have to get probably cause before even looking in the direction of my private communications

    That’s just dumb. Even in the realm of dead-tree letters, the government can look at the outside of the envelope. You tell me you aren’t engaging in hyperbole with your comments? Um, ok.

    I have an equal problem with a computer rooting through my communications looking for certain criteria as I do a with a human being doing the same thing.

    That’s just dumb. Think about your ISP. Their system goes through every single bit of data in every communication you send, and there is absolutely nothing wrong with that – but if someone at the data center were to actually access that data in order to read your email, that would be an invasion of your privacy. Why isn’t the situation with the government analogous?

  64. joe from Lowell:

    This.

    Putting ones and zeros into a cache is not a search. A person looking at what those ones and zeros say is a search.

  65. El Cid:

    Some of the reporting I’ve read held that the original FBI motivation to look into the matter (presumably once informed about it by Jill Kelley’s FBI buddy) was that the anonymous e-mails appeared to be very familiar with General Allen’s (and maybe Petraeus’, I don’t recall) location and travel plans.

    That seems like enough to begin investigating who it is which might be sending vaguely intimidating e-mails but which are familiar with the itinerary of a major U.S. military officer.

    I’m pretty sure that had the FBI not investigated to make sure it wasn’t terrorist connected (i.e. planning an attack on Allen or whatever), somebody would be getting their ass chewed out or hauled in front of Congress.

    If that’s true, I don’t think it would take long for them to discover that it wasn’t a security threat but I also wouldn’t be surprised that in the course of the investigation the FBI chose to inform Petraeus / Allen of this unfortunate silliness.

  66. Manta:

    I think we can recycle this advice:

    http://crookedtimber.org/2012/10/06/the-quote-doctors/#comment-430535

  67. Cowardly Anonymous Corporate Stooge:

    So here’s a question for you (with no snark or sarcasm intended):

    Corporations routinely use tools like DLPs (Data Loss Prevention devices) to scan outbound email and other traffic for assets leaving their organizations, particularly things like payment, financial, or employee PII (Personally Identifiable Information). These tools are both to protect the company in question, but also the individual’s privacy by either providing early notification or blocking such transmission.

    In order to execute such processes, as noted scanning of traffic is required, including often private communication.

    While the process is automated (ie: via software) and should in theory avoid catching unrelated communication, no algorithm can be perfect in this regard. For instance, employees sending an application for say personal credit with SSN or PAN (Primary Account Number – ie: credit cards) may trigger the rules. Also some random text or numbers stored within may appear to be PII/SSNs/PANs/etc.

    Subsequently those administering the DLP devices may look into the “incident” and see private communication. Generally organization have a policy to delete and pretend they never saw these “false positives”, but once someone is looking at the communication, anything possible (my experience is with professionals who handle this correctly, however again, over many entities anything is possible).

    For legal reasons employees generally have to sign off on Acceptable Use policies that have caveats essentially saying “anything you do using the organization’s infrastructure is subject to monitoring”, however even so this premise would seem to be counter to your thesis.

    So, in closing, I am not trying to argue with your point (at a basic level I agree), however how do you reconcile this with the need to protect organizations and their employees, customers, (or in the case of governments) citizens from confidential data loss (which in the case of governments might include say, military secrets)?

    That is, do you believe automated monitoring for leaked information is appropriate as stated?

  68. Cowardly Anonymous Corporate Stooge:

    I should also note often these tools can be loaded with “hashes” (hard to explain, but basically it’s a way of summarizing the data without actually saving a reversible copy of the data) of documents to look for. For instance, if you have specific confidential/classified documents, these can be pre-loaded into the device and when these hashes as seen in outgoing data, the data is flagged (or blocked).

    Thus, not only can these DLPs look for patterns like SSNs, but also documents. Loading in these hashes (including those of SSNs/PAN/etc.) can reduce false positives and improve accuracy, but even so it is possible that they will be triggered falsely, in which case personal communication may be intercepted and potentially read in the process (though again, properly policy would be to delete/ignore these once discovered to be false positives).

  69. aidian:

    …everyone has a smartphone in their pocket now.

    Yesterday I read on either slashdot or the verge that for the first time last year more than half the phones sold in the U.S. were smartphones, and this year it was two-thirds.

    Everyone you know != everyone

  70. aidian:

    A search is a search, whether by hand or machine. There’s no difference between a computer running a regex against my email and a spook scanning it with his or her naked eye.

    ISPs use deep packet inspection to look at the types of data being transmitted — looking at which protocols are being used. They do not routinely scan every byte of traffic for content. And usually all they’ll see from me is that I’m using a VPN. Regardless, they are a private company, and the fourth amendment restrains the government.

  71. aidian:

    On the government/employers network, it would seem legally alright. If someone is using their gmail account from the office LAN, even if on their own device, they should expect to be victimized by all the bullshit, orwellian garbage that IT departments and bosses use on their networks. I guess it’s cheaper than hiring good people and treating them well :)

  72. Murc:

    That would involve people – people with the authority to take enforcement action – reading and understanding the contents,

    No, it wouldn’t. That was why my example used “scanning them in.” You can do that without reading a document. I’ve done it.

    as opposed to machines making records about matching strings of 1s and 0s.

    …1s and 0s are content! There’s a reason it’s called machine LANGUAGE.

    Even in the realm of dead-tree letters, the government can look at the outside of the envelope.

    I will admit that despite the fact that the Post Office is an arm of the government, I would be uncomfortable if I knew that there was a cop in every post office who was looking at the address of every letter I sent, picking it up, weighing it in his hand, holding it up to the light, and then keeping a record of what he saw.

    I don’t know if such conduct would be unconstitutional or not, but if it isn’t, I’d argue it should be strongly illegal absent probably cause to look at a specific persons letters for a specific reason.

    Their system goes through every single bit of data in every communication you send, and there is absolutely nothing wrong with that

    First of all, this isn’t true. While every single bit of data I send does route through my ISP, it usually doesn’t bother actually LOOKING at most of it. If ISPs did that we’d never have problems with computer viruses because they’d all be filtered at the routing level. What happens (and this explanation is a loose one) is that packets will shout ‘Hey! Send me and everyone who comes after me HERE unless we say otherwise!’ and the ISP will say ‘okay, sure.’ It often won’t even keep a record except about traffic in the aggregate.

    Scanning every byte for content, even just to do a regex to it, would be a massive financial undertaking. No ISP could do it and remain profitable.

    Why isn’t the situation with the government analogous?

    In order to be analogous, the government would have to NOT be looking at the content in any way, ever, absent probable cause. Instead, the way you describe it, they’re having machines search it for content, then using what they find as justification for a warrant to go in and look further.

    And THAT’S what I find dumb. That is precisely equivalent to the cops slitting open my mail, finding evidence of criminality, and then applying for a warrant to open my mail because now they have evidence of wrongdoing. It’s circular.

  73. L2P:

    Your use of government equipment is irrelevant.

    The justification for monitoring your emails is your access to “government” information and the ease of communicating it through email. Whether you communicate it through a government computer or your own doesn’t really matter.

    And say you’re a government contractor at the DON, using a laptop you provided yourself and getting internet access through a third party (but paid for through the government contract), working right next to a government employee. Why should your right to private emails suddenly increase? That seems incredibly arbitrary, doesn’t it? Is your position that the 4th Amendment now turns on whether you satisfy the 18-factor test regarding employee/independent contractor status?

    Seems odd.

  74. Ed:

    To the extent that they use their own devices to read this mail, they often violate explicit company policy when doing so.

    Which doesn’t make it rational or realistic company policy, especially for those who work long hours. I agree that employees using their work e-mail accounts should have no expectation of privacy for those accounts. Private accounts checked during working hours on company equipment are or should be another matter.

  75. ajay:

    I can’t mail my friend every social security number of every American in an unabtrusive envelope.

    Minor point, but: Of course you can. (thumb drive)

  76. Fold in: Cognitive Dissonance and Authoritarianism:

    [...] Let’s Play “Spot the Authoritarian Question-Begging” (lawyersgunsmoneyblog.com) [...]

  77. cpinva:

    Seems odd.

    no, this seems odd:

    And say you’re a government contractor at the DON, using a laptop you provided yourself and getting internet access through a third party (but paid for through the government contract), working right next to a government employee. Why should your right to private emails suddenly increase? That seems incredibly arbitrary, doesn’t it? Is your position that the 4th Amendment now turns on whether you satisfy the 18-factor test regarding employee/independent contractor status?

    you’ve equated, badly, two polar opposite positions, and made them one 4th amendment issue.

    on the one hand, you claim that employer provided communication assets, to be used solely for employer related communications, should require the employer to secure a warrant, in order to access their own equipment, and review their own intangible property (the emails sent/received by the employee), which is ludicrous on its face. since the employee enjoys zero expectation of privacy, on any employer provided assets, why on earth should the employer need a warrant, to secure access to its own assets?

    on the other hand, you claim (again, badly)that the contractor employee, using equipment purchased specifically with that contract’s payments (maybe, maybe not, since money is a fungible item), to send/receive emails regarding said contract, may be subject to a warrantless search/seizure, solely because of the existence of those emails. hogwash. that the emails are about the contract is irrelevant, the assets used to send/receive them belong to someone else, giving the employee a reasonable expectation of privacy, with regards to the government (the employer may be a different issue, especially if the hard assets are owned by them). it’s the reasonable expectation of privacy, that gives rise to the requirement for a warrant.

Leave a comment