* FBI used subpoenas, other means to identify email sender
* Thousands of emails eventually turned over
* U.S. says no judicial approval needed for opened emails
* Google, Facebook resisting warrantless snooping
By Joseph Menn
SAN FRANCISCO, Nov 17 (Reuters) - The scandal surrounding the sudden resignation of an adulterous CIA director has stunned the American public not just for its prominent cast of characters, but also because of the ease with which authorities appeared to have traipsed through personal email accounts.
Technology has transformed communications much faster than the law, giving U.S. authorities at all levels the power to routinely search reams of intimate emails, texts and instant messages, with much lower burdens of proof as far as the relevance to a criminal case.
Often, the subjects of electronic searches never know that they’ve been hit, let alone why.
Recently, big tech companies including Google Inc and Facebook Inc are pushing back, refusing to disclose even old communications without a warrant and effectively daring the government to press its policy in court.
The issue has been thrust into the spotlight by the still-unfolding scandal that started with the revelation that General David Petraeus, while serving as CIA director, had an extramarital affair with his biographer, Paula Broadwell.
The relationship was discovered because Jill Kelley, a Tampa socialite and family friend of Petraeus, complained to the FBI’s Tampa office about anonymous harassing emails.
Kelley herself didn’t realize how badly an electronic inquiry could mushroom beyond control. She wrote an email on Wednesday to Tampa Bay’s mayor that said her family had been “put through the ringer,” in part because police released 911 phone call transcripts with her home address and cell phone number. That email, in turn, was among those released Friday after public-records requests to city hall from the media.
In the initial probe, the FBI was disturbed that Kelley’s anonymous emailer had confidential information about Petraeus’ whereabouts. It issued an administrative subpoena empowering agents to examine the email accounts from which the messages came, a law enforcement source told Reuters.
Investigators learned that the harassing messages were sent to Kelley by Broadwell. The FBI eventually got reams of emails, most likely with a warrant or the consent of the correspondents. The agency declined to comment.
In another twist, Marine General John Allen, commander of NATO and U.S. forces in Afghanistan, is now also under investigation for allegedly inappropriate communication with Kelley that was discovered during the course of the same FBI probe. Allen has denied that the two had a sexual relationship, officials said on condition of anonymity.
Authorized snooping has quietly but rapidly reached an unprecedented level in the United States, and the disgrace of senior military officials not accused of any crime provides a rare opportunity to reflect on that transformation, privacy rights advocates said.
“If they subpoena you for your evidence, you can say `buzz off.’ That’s why all these are being served on third parties,” said George Washington University law professor Orin Kerr, a former Justice Department trial attorney. “It’s hidden information, and the service providers can comply cheaply and easily.”
Subpoenas for business records have been commonplace for decades, but as individuals move more of their lives online, the services they adopt are subject to the same scrutiny.
“It has become so easy, the standard is so low, the delivery mechanism is so easy, that all the friction has been removed from the system and it now basically becomes a very standard investigative technique,” said Jim Dempsey, vice president of the Center for Democracy & Technology, a nonprofit that gets funding from big technology companies.
The FBI, which has broad authority over cybercrimes from identity fraud to online stalking, can gather technical information about private citizens’ email accounts with only a subpoena.
The subpoena in theory must not be overly burdensome on the recipient, but otherwise has few limits. Subpoenas can be drafted by a senior FBI agent or equivalent and do not require a judge’s approval. They are common in grand jury investigations and other probes of crimes involving multiple parties.
The only potential hurdle comes when agents want the actual text contents of the emails.
Under the Justice Department interpretation of the Electronic Communications Privacy Act (ECPA), emails that are more than 180 days old are deemed “stored” and also can be turned over with just a subpoena.
The act was passed in pre-Web 1986, when electronic communications were rare and users often relied on bulletin-board services that deleted messages after users logged on and downloaded them.
The government argues that even much more recent undeleted emails — those even sent the day prior — are “stored” and fair game once they’ve been read. For years, law enforcement officials have had access to these too, with recipients often left in the dark.
Privacy groups, along with some technology companies that have long sought a rewrite of the ECPA, have contended that emails should not be subject to free-rein rummaging just because such third parties as Google, Microsoft Corp and Yahoo Inc are involved.
The 9th U.S. Circuit Court of Appeals, which covers California and other parts of the West, has agreed, saying that prosecutors need a probable-cause warrant for opened mail less than six months old.
The Ohio-based 6th Circuit went further, ruling in 2010 that much of ECPA conflicted with the Constitution’s Fourth Amendment prohibition on unreasonable searches. That ruling is only binding in a handful of states.
Rather than appeal to the Supreme Court, law enforcement authorities have applied for more warrants but also have just sought out service providers in other jurisdictions.
To some extent, the big tech companies are fighting back.
The 6th Circuit ruling “reflects the right reading of the law and is the appropriate standard for protecting privacy of user-generated content,” Facebook Chief Security Officer Joe Sullivan told Reuters.
He and a spokesman for Google said each company now demands a warrant for emails, even ones older than 180 days.
Google said this week it received requests by U.S. government entities for data on more than 16,000 users during the first six months of this year, up from 12,000 in the prior half-year, and at least partially complied with 90 percent of them.
That total includes warrants, subpoenas, criminal and intelligence wiretap orders and secret “national security letters,” which have become much more common under the 2001 Patriot Act.