US Surveillance Law May Poorly Protect New Text Message Services

Internet-based text message apps are one of the most common means of communicating today. But when it comes to this relatively new technology, surveillance law is behind the times in important ways, and as is so often the case when the law lags technology, our privacy suffers as a result.

Text messages have for some time been a cash cow for the wireless carriers—back in 2007, annual global SMS revenue was estimated to be 60 billion dollars. Charging consumers 25 cents per 140 character text message is a great way to make money, but when those same consumers are already paying for internet connectivity to their smartphones, the market was ripe for disruption. In recent years, a number of internet companies have entered the text message market. In some cases, they have offered low-cost or free SMS services that interoperate with the carriers’ existing SMS system. In other cases, large companies like Facebook, Apple and WhatsApp have offered closed text message services to their smartphone using customers. Often seeking to reduce their monthly telephone bills, millions of consumers have migrated from smartphone text message services provided by the wireless carriers to smartphone text message services provided by internet companies.

As this massive switch takes place, there are significant questions about the process that the government is following in order to compel these internet companies to disclose records about their customers’ text message conversations. The reason these questions exist is that US law has different standards for the surveillance of telephone and internet records.

Two separate standards under existing surveillance law

US surveillance law provides different levels of legal protection to different types of data. Communications content, the “what” you say, generally receives a greater deal of protection than associated “metadata” records, which is the “who” you say it to (as well as the when and where you say it). Although there are many things to dislike about our out-of-date surveillance laws, there is something to be said for the fact that the law is largely neutral with respect to particular technologies.

Thus emails, Facebook messages, private Twitter Direct Messages, and SnapChat photos sent between loved ones are all considered communications content, and receive the same degree of legal protection. This is how it should be.

But while the law is technology-neutral when it comes to communications content, it is not when it comes to metadata, where communications that flow over the telephone network and on the internet are treated differently.

Under one section of the law, 18 USC 2703(c)(1), the government can compel the production of internet communications metadata, such as the “to” and “from” information associated with emails, with either a search warrant or another type of court order (commonly described as a “d” order). This means that in order to obtain records about emails or Facebook messages, government agents need to convince a judge to issue an order compelling the production of those records.

Another part of the law, 18 USC 2703(c)(2), however, permits the government to obtain local and long distance toll billing records associated with the account with a mere subpoena.

In other words, the government can obtain a list of the numbers (and names) that you call with a subpoena, but finding out the names or email addresses of the people that you email requires a court order.

I suppose it’s conceivable that different standards for metadata surveillance of internet and phone communications made sense in the past, when telephone calls and emails were conducted with different devices, connected to different networks, and using services provided by companies in different industries. However, today, everything is transmitted over the same device (typically a smartphone), and all kinds of data flow over the same network (the internet).

Given these two separate legal standards, the question arises: is a cellular text message more like a telephone call or an email? Text message services are typically provided by phone companies, and records of those messages (including the numbers of the sender and recipient) appear on monthly telephone bills. Does that mean that records of text messages should be treated like phone billing records, and not receive the higher protection afforded to email and other internet communications? The wireless carriers seem to think so: AT&T’s online subpoena compliance system permits the government to request SMS metadata. It is likely that the other carriers follow similar policies.

What about a Facebook instant message sent from an app on a smartphone? Well, if the message is transmitted over the internet, from the user’s iPhone to Facebook’s servers, surely it should receive the higher protections for communications metadata, even if the iPhone and the internet connection used by the device are provided by a telephone company.

What if the SMS service on a smartphone isn’t provided by the wireless carrier, but rather, through a third party app? What if the SMS messages are transmitted over the internet to a 3rd party’s servers (perhaps even the same 3rd party that provides email and IM services) rather than servers provided by the wireless carrier? In such a scenario, are the text messages more like a telephone service, or an electronic communications service like email? Who knows?

Surveillance standards vary for Google’s many different text messaging services

Google includes (or distributes) at least four different text messaging applications and services for its Android mobile operating system:

1. The built-in Android Messaging app, which is an interface to the SMS and MMS services provided by the users’ wireless carrier.
2. The built-in Google Talk app, which provides text instant messaging, audio chat and video chat services with other users of Google Talk. These messages are transmitted over the internet connection to Google’s servers.
3. The Google+ app, which includes the ability to engage in text-based conversations with other Google+ users. These messages are transmitted over the internet to Google’s servers.
4. The Google Voice app, which provides text messaging to other telephone numbers via an internet connection to Google’s servers. When the recipients of the text messages are also users of Google Voice, the messages will be delivered by Google’s servers to the app on their device via the internet. However, if the recipient is not using Google Voice, then Google’s servers will transmit the message to them as an SMS via their wireless carrier’s telephone network. Regardless of whether or not the recipient uses Google Voice or not, all data transmitted between the Google Voice app on the sending user’s phone and Google’s servers is transmitted over the internet.

The Google+ and Talk apps are clearly internet-based communication services. Therefore, just as with government surveillance of email communications, records associated with Google+ or Talk conversations are clearly protected by 18 USC 2703(c)(1), and their disclosure requires a court order.

It is much more difficult to draw clear lines regarding Google Voice. Messages between two Google Voice subscribers using the Google Voice app on their smartphones are transmitted over the internet and do not use the SMS functionality provided by the wireless carriers. However, since Google Voice is interoperable with the wireless carriers’ SMS system, messages sent to people not using Google Voice will be transmitted by Google through the SMS system.

Google Voice is truly a hybrid system, and as such, it is very tough, just by reading the law, to figure out what the legal standard should be for the government to obtain metadata records.

The government is in fact obtaining Google Voice records without a court order

Although the law is anything but clear, court records from a 2012 federal drug case make it clear that Google is in fact turning over records to the government of SMS messages sent via Google Voice with a mere subpoena. In support of a criminal search warrant, a postal inspector in Ohio referenced a previously submitted subpoena to Google, and the Google Voice text message records that Google provided in response.

When I contacted Google to get some clarification regarding their law enforcement policy regarding Google Voice, they gave me the same, standard PR statement that they give to every journalist writing a surveillance story:

Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.

I’ve spoken to several surveillance law experts who represent internet and telecommunications companies, and the consensus seems to be that Google is in a tough position. Our out-of-date surveillance law treats telephone and internet communications differently, and so hybrid services that communicate over both internet and communications networks are stuck in a legal grey area.

While I cannot blame Google for adopting this particular reading of an out-of-date law, I do think that the company is worthy of criticism for its complete refusal to discuss its surveillance policies regarding Google Voice. If, as it seems, Google turns over Google Voice text message metadata with a mere subpoena but will insist on a court order before providing Google Talk or Google+ text message metadata to police, this seems like a pretty important bit of information to share with its customers.

Google’s customers should be free to vote with their feet (or their data), and to use services that offer them the greatest degree of privacy protection, both via technology and the law. Google’s total failure to be transparent on this issue robs its customers of the ability to take reasonable steps to protect their own communications from warrantless government surveillance.

Finally, while Google’s lawyers hid behind the non-answer provided by their PR team, Google’s competitors were far more transparent. Twitter and Facebook both offer some functionality to their mobile users via SMS, including the ability to send private messages to their friends. In response to queries from me, both Twitter and Facebook confirmed that the companies treat communications metadata the same regardless of whether users’ messages are transmitted to the companies’ servers via SMS or the internet. No court order? No metadata. Not only have these companies apparently adopted a more pro-privacy reading of the law than Google, but they’re also willing to talk about it.

It doesn’t make sense to have different legal standards for phone and Internet metadata

Civil liberties groups from both sides of the political spectrum, academics, and companies have called on Congress to update the Electronic Communications Privacy Act. Congress has made some progress on this, and the Senate Judiciary Committee passed a bill last November. However, none of the existing legislative proposals would in any way improve the privacy protections for metadata, either internet or telephone.

As the recent Petraeus scandal demonstrated, metadata is king. The subpoena standard for basic subscriber records (including telephone billing records) mean that obtaining these sensitive records are typically the first step in any investigation, long before the police would be able to convince a judge to sign an order compelling the production of other forms of data.

When Congress first passed ECPA, and permitted the government to obtain communications metadata with a subpoena, the phone companies didn’t store vast amounts of customer data, and the police didn’t make a huge number of requests. Today, that has changed. The low-cost of digital storage (as well as pressure from law enforcement agencies) has led to multi-year data retention policies among the wireless carriers. Likewise, law enforcement agencies now have a voracious appetite for telephone records. Sprint, the 3rd largest wireless carrier alone receives 500,000 subpoenas per year, many of which likely request historical call detail records for text messages.

As the next Congress dusts the cobwebs off of our aging privacy laws, we can only hope that they will also reexamine the merit of having different standards for telephone and Internet metadata.