Saturday, March 10, 2018

Regulation Banning Bump Stocks


Department of Justice Submits Notice of Proposed Regulation Banning Bump Stocks

Today (March 10, 2018) the Department of Justice submitted to the Office of Management and Budget a notice of a proposed regulation to clarify that the definition of "machinegun" in the National Firearms Act and Gun Control Act includes bump stock type devices, and that federal law accordingly prohibits the possession, sale, or manufacture of such devices.

Bump fire is a technique that anyone can learn in an afternoon. Banning bump fire stocks does nothing to limit the ability of a shooter to empty a magazine rapidly. While I am not a fan of bump fire stocks, or bump firing in general - it is not accurate and tends to waste ammo - there is no security benefit to banning bump fire stocks. Furthermore, there are other devices that allow rapid manipulation of a trigger, such as the BMF Activator

(Replacing the hand crank on the BMF Activator with a small electric motor would allow very rapid manipulation of the trigger with the press of a switch. Making this modification to a BMF Activator is likely illegal.)  

You Don't Need a Special Stock to Bump Fire, as can be seen in the following YouTube videos:

How to Bumpfire without a Bumpfire Stock

'Bump Fire' without a Bump-fire Stock, courtesy of ThatGunGuy45

How to Bump Fire without a Bumpfire Stock in Detail!

Former ATF Analyst - Bump Fire without Slide Fire Stock



FBI Secret Surveillance...


Senator Rand Paul (R-KY) published a link to the following NBC News article on his Facebook page on March 5, 2018:

The FBI's secret warrant to surveil Carter Page should scare all Americans and spur reform

As technology makes state scrutiny increasingly easy, America has seen a corresponding increase in the abuse of its surveillance tools. With a legal framework, first created in the 1970s - before the widespread use of computers, email or cell phones - the few safeguards we have are evaporating rapidly.

When a physical search occurs in accordance with American criminal law, law enforcement must show probable cause and obtain permission from a judge, and then present a given suspect with a warrant, and a receipt for the items removed. When law enforcement wants to obtain a criminal wiretap, they similarly have to show probable cause to obtain a warrant, carefully collect information related to potential crimes, and then disclose that information if charges are wrought. The key difference, is that with the latter, the suspect will only discover they've had their privacy violated after they've been indicted. With a FISC warrant, it's possible a suspect will never find out, even if charges are eventually filed.

In the case of Carter Page, his private life was monitored, for almost a year, without his knowledge, and then placed on display for strangers at the FBI to peruse, all based on a suspicion that he was colluding with Russia. On the basis of hearsay, business associations, and possibly Page's political opinions, the FBI received a classified surveillance warrant and then renewed it three times. And yet, Page was never officially charged - suggesting that, even given the ability to surveil him in ways that might make the general public cringe, the FBI was never able to find enough evidence for a single crime.

--

A February 27, 2018 article in Tech Crunch stated: "The warrantless surveillance law, otherwise known as Section 702 of the Foreign Intelligence Surveillance Act, gained mass attention back in 2013 when Edward Snowden leaked information that the NSA was using it to spy on Americans’ text messages, phone calls, emails and internet activity - all legally, and without warrants. That bill has been passed by the U.S. Senate for another six years and has now been signed into law by President Trump - a further extension of what should be an Orwellian clichĂ© but remains quite real... Senators Rand Paul (R-KY), Michael Lee (R-UT), Patrick Leahy (D-VT) and Ron Wyden (D-OR) agree, presenting a bipartisan letter to colleagues stating that "this bill allows an end-run on the Constitution by permitting information collected without a warrant to be used against Americans in domestic criminal investigations."

"Section 702’s intended purpose is to protect American soldiers, keep U.S. decision-makers informed about the intentions of adversary nations and help federal agents detect and prevent terrorist attacks on U.S. soil. However, the evaluation of 160,000 emails and instant messenger conversations collected under Section 702 between 2009 and 2012 (leaked by Snowden in 2013) showed that 90 percent of them were from online accounts that were not foreign surveillance targets, according to The Washington Post. And nearly half of those belonged to U.S. citizens or residents. That’s tens of thousands of emails from regular people, collected without our approval, say-so or, indeed, knowledge."

"It’s time to take this into our own hands. Privacy solutions and applications have been skyrocketing in demand, and with news that this law will likely prevail for another six years - as well as the recent scrapping of net neutrality - that demand is only going to increase as people seek to take their online security and privacy into their own hands."

--

The ability of the government, whether it is the FBI or your local police department, to conduct secret investigations, and create secret and hidden files where your personal information becomes part of a government database, record, or system of records is a significant threat to your privacy, violates your rights, and infringes upon your civil liberties.

If you are concerned about inappropriate investigations, and hidden records being kept about you, contact your Senator and/or Congressional Representative and express your concern.

A secret, non-adversarial system of judicial review is an insufficient check to our intelligence agencies and law enforcement.


Friday, March 9, 2018

Mind Your Data - A Guide to Regain Privacy from Wirtschaftsuniversität Wien


Mind Your Data - Your Guide to Regain Privacy and Control was written by: MSc. Information System students at Vienna University (WU) of Business and Economics.

In this guide WU students at the university's Privacy & Sustainable Computing Lab review privacy in messenger apps, social networks, map & location apps, calendar apps, and e-mail apps. They provide a comparison 'scorecard' for a selection of apps and services in the above categories.

** 25 online services are benchmarked as to their privacy friendliness; including Facebook, What‘sApp, Viber, Twitter, Instagram, GoogleMaps, Gmail, etc.

** Examples are given on why you should care to regain control over your data.

** Many practical tips by the students themselves.

Download it <here> for free.

I think that the guide is very well written, and recommend it to anyone interested in improving his or her personal privacy.
 
 

2018 Identity Fraud Study


Javelin Strategy & Research has released its 2018 Identity Fraud Study.

The study found that 16.7 million U.S. consumers were victims of identity fraud, an increase of eight percent over the previous year, and a record high since 2003 when Javelin Strategy & Research began tracking identity fraud.


Five Safety Tips to Protect Consumers

Javelin believes that consumers who exercise good online security habits can minimize their risk and impact of identity fraud. The following are five recommendations for consumers to follow:

Turn on two-factor authentication wherever possible - Enabling two-factor authentication on sites that have that capability, where a separate action must be taken beyond providing a user name and password to access an account, can make it significantly more difficult for fraudsters to take over your accounts. For sites without two-factor authentication, use strong passwords or a password manager to secure accounts.
   
Secure your devices - With consumers increasingly relying on their digital devices to obtain goods and services, making purchases and sharing personal information, criminals have shifted their focus to these devices for the access they can provide to accounts and the information they store or transmit. Secure online and mobile devices by instituting a screen lock, encrypting data stored on the devices, avoiding public Wi-Fi and/or using a VPN, and installing anti-malware.
   
Place a security freeze - If you are not planning on opening new accounts in the near future, a freeze on your credit report can prevent anyone else from opening one in your name - which is especially important if you have been a victim of data breach that has exposed sensitive personally identifiable information. Credit freezes must be placed with all three credit bureaus and prevents everyone except for existing creditors and certain government agencies from accessing your credit report. While costs vary per state, typically each bureau costs below $20. Should you need to open an account requiring a credit check, the freeze can be lifted through the credit bureaus.
   
Sign up for account alerts everywhere - A variety of financial service providers, including depository institutions, credit card issuers and brokerages, provide their customers with the option to receive notifications of suspicious activity - as do businesses in other industries, such as email and social media providers. These notifications can often be received through email or text message, making some notifications immediate, and some go so far as to allow their customers to specify the scenarios under which they want to be notified, so as to reduce false alarms.
   
Protect yourself from unauthorized online transactions - As EMV makes fraud at physical stores more challenging, fraudsters are moving to target online merchants. Some financial institutions offer alerts for online transactions, the ability to institute limits on online transactions, or even advanced controls through 3-D Secure (e.g., Verified by Visa, SecureCode from Mastercard, etc.). These can help quickly detect and even prevent online fraud from occurring.



Thursday, March 8, 2018

"Geek Squad" and the FBI


According to a March 6, 2018 article by the Electronic Frontier Foundation (EFF), Best Buy's "Geek Squad" employees are working as paid informants for the FBI.

The FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. According to documents obtained by the EFF as part of a FOIA request "Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years."

While Best Buy insists their employees are prohibited from searching customer devices beyond "what is necessary to solve the customer’s problem," EFF points that some Geek Squad workers were incentivized [paid] by law enforcement to gather further information.

FBI agents would come and confiscate any device on which technicians found illegal content, take it to a field office, and, in some cases, obtain a warrant to search the device. Several informants received payments from $500 to $1000 for their cooperation.

Critics have raised possible Fourth Amendment issues with this unusual practice. Best Buy is paid to search a customer's devices for the purpose of repair, but the FBI is supposed to obtain a warrant to do so. Providing a monetary incentive to employees would likely encourage them to perform searches that are unnecessary to the repair.  The FBI has been paying the Best Buy Geek Squad technicians to conduct warrantless searches of customer's computers, and then to notify the FBI if potential illegal content is found.

Fox News Digital - The FBI paid Geek Squad employees as informants (YouTube Video)


* Added in response to a comment: Computer technicians are specifically named as mandatory reporters in many states. This is no surprise to anyone, and it has been this way for many years (here is an article from 2008 that talks about this requirement). Everyone would agree that if you come across crimes against children during the course of your job, you should report it. What the EFF's (and many others') concern seems to be isn't that Geek Squad technicians found child pornography and reported it - they are required to do so - rather that the FBI recruited these technicians to conduct warrantless searches of computers brought to them for repair in an effort to find evidence of illegal activity. The question is whether the FBI can recruit confidential human sources (CHS) to conduct searches that they cannot do themselves without a warrant.


Wednesday, March 7, 2018

FOIA Gone Wrong


According to an article in the Chicago Tribune, the city of Aurora and its former records manager could be held legally responsible for endangering police officers by mailing their personnel files to an Illinois prisoner, according to a federal judge.

In an opinion and order denying the motion to dismiss the lawsuit, U.S. District Judge Sara L. Ellis stated the officers had met their burden for pleading their case under theories including state-created danger.

"Defendants perhaps confuse 'danger' with whether the private actor needs to actually commit harm to the plaintiffs for a state-created danger theory to apply," Ellis wrote. "If the government throws an individual into a snake pit, and the individual is not harmed by the snakes, but hurts himself escaping the pit, the government has still placed the individual in danger that has caused the individual harm."

In the above case, the records manager released information, in response to a FOIA request, that created a potential danger to the police officers now bringing this lawsuit. But it's not just information released through FOIA that can create this type of danger.

An even greater danger may be created when a government employee releases official information - "which includes all information that he acquired as part of his official duties or because of his official status" - outside of his own agency without going through the FOIA office. This can include releasing information to another agency, especially if that information has the potential to become public. Remember, if you received information during the course of your official duties you generally may not release that information to another agency, organization, or individual without following proper release and documentation procedures (i.e. FOIA).

That being said, a great deal of information may be released about you under FOIA if you are a military Service Member or Federal Civilian Employee.

32 CFR 505.7 - Disclosure of personal information to other agencies and third parties, states:

The Department of the Army is prohibited from disclosing a record from a Privacy Act system of records to any person or agency without the prior written consent of the subject of the record...

Despite Privacy Act protections, all records must be disclosed if the Freedom of Information Act (FOIA) requires their release.

The following are examples of personal information that is generally not exempt from the FOIA; therefore, it must be released to the public:

(i) Military Personnel -

(A) Rank, date of rank, active duty entry date, basic pay entry date, and gross pay (including base pay, special pay, and all allowances except Basic Allowance for Housing);
(B) Present and past duty assignments, future stateside assignments;
(C) Office/unit name, duties address and telephone number (DOD policy may require withholding of this information in certain circumstances);
(D) Source of commission, promotion sequence number, military awards and decorations, and professional military education;
(E) Duty status, at any given time;
(F) Separation or retirement dates;
(G) Military occupational specialty (MOS);
(H) Active duty official attendance at technical, scientific or professional meetings; and
(I) Biographies and photos of key personnel (DOD policy may require withholding of this information in certain circumstances).

(ii) Federal civilian employees -

(A) Present and past position titles, occupational series, and grade;
(B) Present and past annual salary rates (including performance awards or bonuses, incentive awards, merit pay amount, Meritorious or Distinguished Executive Ranks, and allowances and differentials);
(C) Present and past duty stations;
(D) Office or duty telephone number (DOD policy may require withholding of this information in certain circumstances); and
(E) Position descriptions, identification of job elements, and performance standards (but not actual performance appraisals), the release of which would not interfere with law enforcement programs or severely inhibit agency effectiveness. Performance elements and standards (or work expectations) may also be withheld when they are so intertwined with performance appraisals, the disclosure would reveal an individual's performance appraisal.

There are many reason that we may choose to safeguard our personal information. The fact that it may be released to others, either because of error, misconduct, or because it is required to be released under FOIA and similar state public records laws, should be ample incentive to limit what information about ourselves we allow to be included in government records.


EFF - Surveillance Self-Defense Site (redesigned)


The Electronic Frontier Foundation (EFF) has announced the launch of its redesigned Surveillance Self-Defense site, which now contains over forty guides in eleven languages, filled with tips on how to protect your communications and privacy online!

Surveillance Self-Defense (SSD) is a guide to protecting yourself from electronic surveillance for people all over the world. Some aspects of this guide will be useful to people with very little technical knowledge, while others are aimed at an audience with considerable technical expertise and privacy/security trainers. We believe that everyone's threat model is unique - from activists in China to journalists in Europe to the LGBTQ community in Uganda. We believe that everyone has something to protect, whether it's from the government or parents or prying employers, stalkers, data-mining corporations, or an abusive partner.


Wickr New Features


Wickr announced in their blog the addition of new features to Wickr Messenger.

1. End-to-end encrypted calling: no requirement to connect your phone number to your Wickr account making completely private voice conversations a reality for journalists and their sources, human rights activist and anyone who cares about their privacy.

2. Encrypted and ephemeral voice messages: tap and record a voice memo when you have something urgent to say. Like everything else on Wickr, it’ll expire when you no longer need it.

3. Screenshot detection for both iOS an Android coming in next release: while there is no privacy silver bullet, transparency around capturing messages enables trust and helps set privacy expectations between you and your contacts.

I like Wickr and recommend it as a way to communicate privately and securely. Wickr is available for both iOS and Android, as well as a Windows Desktop program. If you are currently using Wickr you will need to update your app to take advantage of the new features. If you are not currently using Wickr, download your free copy today and keep your personal communication private and secure.


Tuesday, March 6, 2018

Cyber-Security for Police Officers


In April 2015, the FBI warned "Law enforcement personnel and public officials may be at an increased risk of cyber-attacks. These attacks can be precipitated by someone scanning networks or opening infected emails containing malicious attachments or links. Hacking collectives are effective at leveraging open source, publicly available information identifying officers, their employers, and their families. With this in mind, officers and public officials should be aware of their online presence and exposure. For example, posting images wearing uniforms displaying name tags or listing their police department on social media sites can increase an officer's risk of being targeted or attacked."

The FBI recommended that law enforcement personnel take the following steps to protect themselves against being targeted by hacktivists:
  • Turn on all privacy settings on social media sites and refrain from posting pictures showing your affiliation to law enforcement.
  • Be aware of your security settings on your home computers and wireless networks.
  • Limit your personal postings on media sites and carefully consider comments.
  • Restrict your driver license and vehicle registration information with the Department of Motor Vehicles.
  • Request real estate and personal property records be restricted from online searches with your specific county.
  • Routinely update hardware and software applications, including antivirus.
  • Pay close attention to all work and personal emails, especially those containing attachments or links to other Web sites. These suspicious or phishing emails may contain infected attachments or links.
  • Routinely conduct online searches of your name to identify what public information is already available.
  • Enable additional email security measures to include two factor authentication on your personal email accounts. This is a security feature offered by many email providers. The feature will cause a text message to be sent to your mobile device prior to accessing your email account.
  • Closely monitor your credit and banking activity for fraudulent activity.
  • Passwords should be changed regularly. It is recommended to use a password phrase of 15 characters or more. Example of a password phrase: Thisisthemonthofseptember,2014.
  • Be aware of pretext or suspicious phone calls or emails from people phishing for information or pretending to know you. Social engineering is a skill often used to trick you into divulging confidential information and continues to be an extremely effective method for criminals.
  • Advise family members to turn on security settings on ALL social media accounts. Family member associations are public information and family members can become online targets of opportunity.
Many of the recommendations made by the FBI can be used by non-law enforcement personnel to protect themselves as well.

Following the FBI's recommendations in 2015, the Office of Justice Programs published a guide Understanding Digital Footprints: Steps to Protect Personal Information, in September 2016. This guide provides material designed to assist law enforcement personnel in protecting themselves and their families from becoming cyber targets: protecting personal information, cyber dos and don'ts, and links to further cyber training and resources.


Social Media Recommendations for the Police

You Have The Right to Remain Silent.
  • What do you have to gain from posting? If you stand to lose more than you stand to gain-you have the right to remain silent.
  • If you're posting out of anger-maybe in a political discussion-then you should stop & think before engaging anyone online.

Be Careful About What You Say.
  • There is no such thing as a "private" social media account-especially when you are known to be a law enforcement officer.
  • Your "private" messages can be screen-captured and can still be shared.
  • Ask yourself if all of your social media "friends" are actually your friends? Do you know them well enough to trust them with your career?

Will You Need to Defend What You Said?
  • Sure, other people will probably come to your defense if an argument ensues. The problem is, you now need to be defended.

Who Will Come to Your Defense, Even if You Don't Ask?
  • You can't choose your defenders in the world of social media.
  • Members of fringe organizations or individuals whose profile pictures are offensive and do not represent your beliefs can quickly jump into the fray to "defend" you but actually make things much worse.

Think Before You Post and Protect Your Accounts.
  • Don't be afraid to walk away from a debate. Put down your phone, walk away from your desktop, and do something that'll make you happy.
  • Before posting, ask yourself, "How is my life and career going to practically benefit from this exchange?" If you don't think you'll see any positive results, then why engage in this?
  • Unfollow or unfriend toxic people. You're not obligated to give people access to you.

Monday, March 5, 2018

USMC Data Breach


The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve.

Roughly 21,426 people were impacted when an unencrypted email with an attachment containing personal confidential information was sent to the wrong email distribution list Monday morning. The compromised attachment included highly sensitive data such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information, Maj. Andrew Aranda, spokesman for Marine Forces Reserve said in a command release.

That email was a roster sent out by the Defense Travel System, or DTS, Marine Corps Times has learned. DTS is a Defense Department system that assists military and civilian defense personnel with travel itineraries and settling expenses from official authorized trips. "It was very quickly noticed and email recall procedures were implemented to reduce the number of accounts that received it," Aranda said.

The email containing the data was sent within the usmc.mil official unclassified Marine domain, but also to some civilian accounts. Personal information can be used by criminals or entities to steal identities, commit bank and credit fraud, or phishing schemes. In 2015, ISIS posted a 'kill list' of 41 Marines and sailors based on information it pulled from publicly accessible online forums and social media accounts.

The Marines are still analyzing the extent of the spread of the sensitive data and plan to implement future changes to better safeguard personally identifiable information. But Aranda said he believed "no malicious intent was involved."

However analyzing the full impact could prove to be a Sisyphean task. Once the data moves outside of the Marine domain there's no telling how far it could spread.

The Corps plans to notify those affected by the breach and provide guidance on ways to safeguard from identity theft. "The Marine Corps takes the protection of individual Marines' private information and personal data very seriously, and we have steps in place to prevent the accidental or intentional release of such information," Aranda said.  (Marine Corps Times)

--

Delete Old Gmail


  • Open Gmail
  • In the search bar, if you type older_than:6m, Gmail will list your e-mails older than six months. You can use y for years or d for days, as well.
  • If you want to delete all of these e-mails, click the Check all box, followed by the Delete button.
  • This moves your selected messages to the Trash. To permanently delete these messages you need to go to the Trash folder and click: Empty Trash Now. (Messages that have been in Trash more than 30 days will be automatically deleted.)
As a best practice you should never store messages older than 180 days (6 months) in your e-mail account (including in the Trash). The content of e-mail older than 180 days is considered a "stored communication" and does not have the same protection under the law as newer unopened e-mail.

Once you have deleted your e-mails and emptied the Trash folder your messages are gone, but there is one more important thing to consider. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from [Google] servers.

According to Google - "Google keeps multiple backup copies of users' emails so that we can recover messages and restore accounts in case of errors or system failure, for some limited periods of time. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our servers. Deleted messages may also remain on offline backup systems for some limited period of time. This is standard practice in the email industry, which Gmail and other major webmail services follow in order to provide a reliable service for users. We will make reasonable efforts to remove deleted information from offline backup systems as quickly as is practical."

Generally, once you have read and replied to an e-mail (once the e-mail conversation is over) you should delete that e-mail (under 18 USC 2703, opened e-mail stored on a remote system only requires a subpoena to compel your service provider to turn it over to the government). If you think you will need the e-mail for reference in the future, save it to a secure, encrypted folder on your computer (a warrant is required to seize information stored on your home computer). To avoid having "stored communications" in your Gmail it is important that you delete opened e-mail as soon as possible after reading it, and all messages older than four months (this allows for residual copies to exist on Google servers for up to 60 days, yet still be permanently deleted before becoming 180 days old).



Sign Out of Gmail on Multiple Devices


In 2016, Gmail had more than 1-Billion active users every month. If you are one of those 1-Billion users of Gmail, and if you check your e-mail on more than one computer, it is possible that your Gmail account is still signed in on a computer that you don't control.

Do you check your Gmail from work? Did you remember to sign out after you logged into your Gmail at school, the library, at the hotel during your last business trip or vacation? More importantly, if a laptop or mobile device is lost or stolen, it’s crucial to know how to disconnect your private accounts from it immediately.

To sign out of Gmail on multiple devices:

1. Log in to Gmail on your computer.
2. Scroll to the bottom of your inbox.
3. There in the lower right corner, below your e-mail you will see, in small print, "Last account activity".
4. Click the "Details" link below the last account activity date/time.
5. Here you will see an activity log showing when an where your Gmail account has been logged-in.
6. On the details page, click the "sign out all other web sessions" button to remotely log out of Gmail from computers in other locations. 

If someone has your password, or if you have it saved on the computer, that person could log back into your Gmail account. So, it is a good idea to change your password if you see any log-ins that you didn't make, or if you think your password might have been saved to a computer other than your own.

Sunday, March 4, 2018

WA Passes Net Neutrality Legislation


Washington’s net neutrality law applies to all ISPs that serve residents, whether or not they have state deals. All internet service offered in Washington would have to be free from blocking or throttling of legal online content. Nor could it be subject to a system of premium-priced "fast lanes" that offer better bandwidth to content providers that pay extra for the privilege.

Net neutrality advocates (those supporting the FCC action repealing net neutrality) say undoing these rules makes it harder for the government to crack down on internet providers who act against consumer interests and will harm innovation. The FCC’s new rules are not expected to go into effect until later this spring.

Washington state’s net neutrality law is likely to face legal challenges. The FCC’s official repeal of net neutrality, which was published in the Federal Register last week, preempts states and local jurisdictions from passing de facto net neutrality laws. The FCC said it would "preempt any state or local measures that would effectively impose rules or requirements that we have repealed or decided to refrain from imposing in this order."

Come Back With A Warrant


If the Federal government wants to compel an on-line service provider, like Yahoo or Google, to turn over your e-mail, they need a warrant. That's the industry-accepted best practice, implemented by nearly every major service provider. More importantly, it's what the Fourth Amendment requires.

However, there are a couple exceptions to the warrant requirement, where only a subpoena is required for the government to access your private e-mail. The first is e-mail that you have opened (and presumably read) that is stored on a remote system (i.e. in your Yahoo or Gmail account). The second is when an e-mail remains unopened on a remote system for more than 180 days. 

A subpoena is an order that requires an eyewitness or a material witness to appear in a specific place, such as an attorney’s office or in court, on a specific date and time to provide sworn testimony about what the person saw, heard or knows -- or to provide relevant documents. Using an "Administrative Subpoena", requiring little more than a federal official's signature; banks, hospitals, bookstores, telecommunications companies and even utilities and internet service providers - virtually all businesses - are required to hand over sensitive data on individuals or corporations, as long as a government agent declares the information is relevant to an investigation. Via a wide range of laws, Congress has authorized the government to bypass the Fourth Amendment - the constitutional guard against unreasonable searches and seizures that requires a probable-cause warrant signed by a judge.

A warrant is a court order that authorizes law enforcement personnel to search or seize property or arrest a person suspected of committing a crime. The U.S. Constitution requires a warrant to protect an accused person’s Fourth Amendment rights. Unlike with a subpoena, a judge must always issue a warrant -- and only if the request meets the "probable cause" standard. Probable cause requires some type of evidence, not just a suspicion of a crime.

Data seizure laws are far more complex than can be described in the couple of paragraphs above, but there are some things that we should be aware of with regard to data privacy. E-mail in transit, and e-mail stored on a remote system for 180 days or less, as long as the e-mail hasn't been opened, requires a warrant to obtain its content. E-mail that you have downloaded and store on your home computer also requires as warrant if the government wants to come into your home and seize those e-mails.

Where we lose our legal protections is after we open and read an e-mail and then leave that e-mail on a remote system, or if we leave an unopened e-mail on a remote system for more than 180 days. In these cases a government official need only declare that your e-mail contains "information that is relevant to an investigation", and your e-mail service provider is compelled by subpoena to hand your private messages to the government.

To help protect your e-mail against warrantless search and seizure:
  • Never leave any e-mail on a remote system for more than 180 days.
  • Once you have opened an e-mail, delete it from the remote system. Never leave opened e-mail stored on-line.
  • Use an encrypted e-mail service. Strong encryption will help protect the content of your e-mail. (ProtonMail or Tutanota)
  • Use an e-mail service in a country other than where you reside. (A US subpoena will have little effect on a Russian e-mail service provider.)
Ultimately, our constitutional rights shouldn't be diminished just because the Federal government wants to conduct its investigations without meeting the requirements necessary to obtain a warrant.


The Email Privacy Act is simple: it requires the government to get a probable cause warrant from a judge before obtaining private communications and documents stored online with companies such as Google, Facebook, and Dropbox - regardless of how long they have been stored.

The House’s unanimous vote on the Email Privacy Act last year demonstrated bipartisan agreement that the e-mails in your inbox should have the same privacy protections as the papers in your desk drawer. Urge the Senate to swiftly pass the H.R. 387 to protect on-line content with a probable cause warrant.