It's Too Complicated: How the Internet Upends Katz, Smith, and Electronic
Total Page:16
File Type:pdf, Size:1020Kb
Harvard Journal of Law & Technology Volume 30, Number 1 Fall 2016 IT’S TOO COMPLICATED: HOW THE INTERNET UPENDS KATZ, SMITH, AND ELECTRONIC SURVEILLANCE LAW Steven M. Bellovin, Matt Blaze, Susan Landau, & Stephanie K. Pell* TABLE OF CONTENTS I. INTRODUCTION .................................................................................. 2 II. LEGAL BACKGROUND AND ANALYSIS ........................................... 11 A. Content/Non-Content Constitutional Distinctions & Statutory Definitions ................................................................ 12 B. What Other Scholars Have Said and Done ................................ 20 1. To Distinguish and Categorize or Not? ................................... 21 C. Third Party Doctrine Complications ......................................... 22 1. United States v. Warshak......................................................... 22 2. Miller & Smith ......................................................................... 25 III. NETWORK ARCHITECTURES ......................................................... 32 A. The Phone Network and the Internet .......................................... 34 B. An Introduction to the Network Stack ........................................ 36 C. Architectural Content ................................................................. 44 D. Defining DRAS ........................................................................... 46 IV. INTERNET SERVICES AND METADATA .......................................... 52 A. Services and Architecture ........................................................... 54 B. Email Headers and Envelopes ................................................... 57 1. Wiretap Law and Email Headers ............................................. 61 C. The World Wide Web and URLs ................................................ 64 1. Wiretap Law and URLs ........................................................... 69 D. Blurred Boundaries.................................................................... 73 * Steven M. Bellovin is the Percy K. and Vida L.W. Hudson Professor of Computer Sci- ence, Columbia University. The views expressed are the author’s personal views and do not represent the position of Columbia University or any agency of the US government. Matt Blaze is an Associate Professor of Computer and Information Science at University of Pennsylvania. Susan Landau is the Professor of Cybersecurity Policy at Worcester Poly- technic Institute and Visiting Professor, Department of Computer Science, University Col- lege London. Stephanie K. Pell is an Assistant Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute and in the Department of English & Philosophy. She is also an Affiliate Scholar at Stanford Law School’s Center for Internet & Society. The views ex- pressed are the author’s personal views and do not represent the position of West Point, the Army or the US Government. Authors are listed alphabetically. The authors would like to thank Susan Freiwald, Stephen Henderson, Orin Kerr, Peter Swire, and participants in the Privacy Law Scholars Conference 2015 workshop of this Article, all of whom provided useful comments on an earlier draft of this paper. 2 Harvard Journal of Law & Technology [Vol. 30 E. Discerning Content from Non-Content: Audio and Ambient Sound Processing ...................................................... 80 F. Service Location Ambiguity........................................................ 83 1. Standalone, Entirely Local Architecture ................................. 85 2. Fully Connected Architecture ................................................. 86 3. Middle-Ground Architectures ................................................. 87 G. Other Examples.......................................................................... 88 1. The Domain Name System...................................................... 88 2. Ad Networks ........................................................................... 89 3. Metadata as Messages ............................................................. 90 4. Middle Boxes .......................................................................... 90 H. Concluding Remarks .................................................................. 91 V. RECOMMENDATIONS ...................................................................... 91 A. Recommendation for the Department of Justice ........................ 93 B. Recommendations for Judges ..................................................... 94 C. Guidance to Policymakers ......................................................... 98 VI. CONCLUSION ................................................................................ 99 I. INTRODUCTION For more than forty years, electronic surveillance law in the Unit- ed States has drawn a strong distinction between the protections af- forded to communications “content” and those afforded to the “non- content” — also known as “metadata” — associated with it. The legal framework for surveillance law was developed largely in the context of the mid-twentieth century telephone system, which itself treated content and metadata as cleanly distinct technical concepts. In an era of relative stability in telephone services and technologies, the consti- tutional and statutory legal principles, once established, were usually straightforward to apply to individual cases, even as the technology incrementally improved. The Internet, a great disrupter in so many ways, challenges bed- rock assumptions on which several principles of modern surveillance law rest. The network’s open and dynamic architecture creates a communication environment where an individual unit of data may change its status — from content to non-content or vice versa — as it travels across the Internet’s layered structures from sender to recipi- ent. The unstable, transient status of data traversing the Internet is compounded by the fact that the content or non-content status of any individual unit of data may also depend upon where in the network that unit resides when the question is asked. In this digitized, Internet Protocol (“IP”)-based communications environment, the once stable legal distinction between content and non-content has steadily eroded to the point of collapse, decimating in its wake any meaningful appli- No. 1] The Internet and Electronic Surveillance Law 3 cation of the third-party doctrine.1 Simply put, the world of Katz,2 Smith,3 the corresponding statutes that codify the content/non-content distinction, and the third-party doctrine are no longer capable of ac- counting for and regulating law enforcement access to data in an IP- mediated communications environment. This Article examines why and how we now find ourselves bereft of the once reliable support these foundational legal structures provid- ed and demonstrates the urgent need for the development of new rules and principles capable of regulating law enforcement access to Inter- net communications data. The physical separation of metadata from message instructs the Court’s reasoning in Ex parte Jackson.4 When examining the commu- nication technology of postal correspondence, the Court provided Fourth Amendment protections to the interior matter contained in packages and sealed letters but exempted the “outward form and weight” of the parcels from the umbra of these protections.5 The phys- ical structure of the letter or package allowed for a clear constitutional rule that separates inner content from outer, publicly exposed, address information.6 Fourth Amendment protections for the content of telephone con- versations were first recognized in 1967 in Katz. Specifically, the Court held that law enforcement’s interception of the content of tele- phone conversations was a search and, accordingly, a warrant author- izing the collection was required.7 Because Katz involved law enforcement collection of telephone conversations through a listening device affixed to the outside of a telephone booth, the Court did not encounter the question of whether constitutional protections should apply to non-content information associated with the content of tele- phone calls in the possession of a “third party” (such as the telephone company). That question did not reach the Court until 1979, twelve years af- ter Katz. In Smith v. Maryland, the Court found that government col- lection of dialed digits with a pen register device did not constitute a search.8 The Court reasoned that the information was voluntarily con- veyed to a third party (the telephone company, for the purpose of con- necting the call) and that, unlike the voice conversations considered in 1. For discussion of the third-party doctrine, see infra Section II.C. 2. See generally Katz v. United States, 389 U.S. 347 (1967). For a discussion of Katz, see infra Section II.C. 3. See generally Smith v. Maryland, 442 U.S. 735 (1979). For a discussion of Smith, see infra Section II.C. 4. See generally Ex parte Jackson, 96 U.S. 727 (1878). 5. See id. at 733. 6. See id. 7. See generally Katz, 389 U.S. at 347. 8. See Smith, 442 U.S. at 745–46. 4 Harvard Journal of Law & Technology [Vol. 30 Katz, dialed digits themselves did not comprise communications con- tent.9 By 1979, Katz and Smith had thus established the foundation of two major tenets of electronic surveillance law: the content/non- content distinction and the third-party doctrine. Congress first codi- fied these principles in Title III of the Omnibus Crime Control and Safe Streets Act10 (“Wiretap Act”), providing the