[Natsu]

How Internet Companies Would Be Forced to Spy on You Under H.R. 1981

Excerpted from: https://www.eff.org/deeplinks/2012/02/how-internet-companies...

Because the actual language of the bill is somewhat vague, activists at Demand Progress have correctly noted that this legislation might force Internet companies to retain even more data just to be on the safe side. The proposed bill is an amendment to 18 USC § 2703, the law currently defining the circumstances under which companies that store electronic data on customers must disclose it to the government. H.R. 1981 is attempting to amend and expand this law in a way that “enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.”

So what is subsection (c)(2)? It requires a provider to turn over to the government without a warrant:

    Name
    Address
    Records of session times and durations
    Length of service (including start date) and types of service utilized
    Credit card or bank account number

[dissident]

> It requires a provider to turn over to the government without a warrant:

It does not require that a provider turn that over to the government without a warrant. It mandates that only the government can have access to it.

Providers still have the liberty of not complying with government requests for assistance, in which case a warrant would be necessary to obtain the information.

We can argue over whether providers will cooperate or not in practice, but it does not require providers to do anything but keep the information.

[Natsu]

It appears that you're missing something. Read the act's reference to subsection (c)(2) carefully. You see, there is no subsection (c)(2) in the proposed bill. It's a part of the law this would have amended, 18 USC § 2703.

And 18 USC § 2703(c)(2) requires no more than an administrative subpoena (though there are other ways to get it as well). And an administrative subpoena is not a warrant at all. But don't take my word for any of this, read it for yourself:

"(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the [long list of customer info skipped] of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1)."

Ref: http://www.law.cornell.edu/uscode/text/18/2703

It's like we have a software patch and everyone is reading only the patch, without considering what the existing code does.

[dissident]

It would appear there's more to the story than I was aware.

Certainly administrative subpoenas that are not based on a grand jury hearing would be susceptible to appeal?

[Natsu]

It's easy to miss and it's been getting lost in all the noise, I fear. You don't appeal subpoenas, you try to quash them and prevent the information from being disclosed to begin with. I mean, you can't very well have them un-share your identity or personal information after the fact any more than you can un-ring a bell.

Here's one nice little article about how they work in practice:

http://privacysos.org/admin_subpoenas

You will note that they commend Twitter for giving the user notice of the subpoena, even though Twitter is not required to. That's an important point, too: companies may go above and beyond what they're required to. So, assuming you use services that do that, you might get notice even when the company wasn't legally required to provide it.

Finally, here's the Justice Department's own report to Congress on the use of administrative subpoenas:

http://www.justice.gov/archive/olp/rpt_to_congress.htm

Appendix A1 is probably the most relevant part of that, specifically the column labelled "Notification Req. and Privacy Protections."