I’m attending the Northern California Judicial Conference on Sunday, and speaking on a panel in the morning about privacy and digital technology. Here’s the jist of what I’m going to say:

Two points

1. Privacy laws don’t deal well with special issues of the internet/digital technology.

2. The computer crime laws are so broad that innocent people are getting convicted without necessarily helping security/privacy.

When the federal Computer Fraud and Abuse Act and the Electronic Communications Privacy Act were passed in 1986, most people had a telephone, but that’s about it. Telephone companies kept phone numbers dialed, but didn’t record the calls.

Today people have telephones, cell phones, email, instant messenger, web sites and e-commerce. These activities leave a digital trail, not just of phone numbers, but the contents of communications, what we buy, what we read, even our physical location is revealed by cell phone records.

Additionally, all this information can be stored forever in databases that are easily and cheaply searchable. Normal people think this stuff is private. But companies claim that this information belongs to them, not to the customer, and sell it to companies that aggregate all the data and sell it to direct markers and to the government. The few statutes we have protect people from companies revealing the contents of their emails, but not necessarily the rest of the information. And, it’s not entirely clear that the Fourth Amendment protects any of this information.

The Electronic Communications Privacy Act and the Stored Communications Act provides some protection for electronic communications. Anytime the government or a party is seeking discovery of email, stored files or digital customer records, the ECPA or SCA applies. The statutes are notoriously convoluted. However, in short, the scheme distinguishes between information in transit, and information that is stored, and between the contents of communications and transactional information like email addresses and IP addresses. Information is transit gets greater protection than stored information, and content gets more protection that transactional data.

Why should an email on the fly be more private than an email I’ve already received? Why is data about the books I buy or the web pages I read treated as if its no more private than a phone number I dial? Some courts have begun asking these questions. The Eastern District of New York, for example, considered what the government had to show to get cell phone information that pinpoints a customer’s location. The government sought access to the cell site information through the “Stored Communications Act” (SCA) 18 U.S.C. § 2703, which requires a lower standard for authorization than probable cause: namely a showing of “specific and articulable facts” to demonstrate that the data will be “relevant and material to an ongoing criminal investigation.” The court rejected this argument and held that the Government needs probable cause.

Meanwhile, information companies are able to sell your cell phone records, including the numbers to dial, to any private party that wants them.

Currently, no law prevents this. The SCA says that providers of communications services can’t reveal transactional information to the government without proper legal process, but they can sell the data to anyone else. One question is whether providers can sell that information to data brokers who sell that information to the government without any legal process.

The Fourth Amendment may not help privacy here. Smith v. Maryland , and other cases, say that there’s no reasonable expectation of privacy in information you voluntarily give to a third party, and some have argued that this means the Fourth doesn’t apply to any networked communications.

On the other hand, the hallmark of the Fourth Amendment since Katz is that it protects people, not places or property. The government needs a warrant to pick up sound vibrations from the outside of a phone booth , and to use a heat sensor to capture emanations from a house . When signals, whether sound, heat or electrons, are in a public space, but they let the government infer private details, the government should have to get a warrant.

In earlier days with less technology, a lot of our privacy was latent in physical reality. When I walked down the street, if noone else was there, I could assume I was unobserved, and take the time to fix my lipstick. With video cameras, that’s not true. But with analog video cameras, someone needed to be watching. Now, with digital video cameras, its cheap to store the video forever. Machines can tag the points in the video where someone is moving and help viewers search. Is there a privacy difference between walking down a public street, being recorded on a public street, having that recording saved and searchable, having that recording sold to the highest bidder? I think so. So what should the law do about it?

These examples should demonstrate that analogies don’t answer the question because modern technology is categorically different. modern technology affects privacy by making information collection possible, cheap, easy, searchable, storable and aggregatable.

These are the kinds of questions that courts are going to be asked to answer in the next few years.

One law that’s supposed to protect our data, the Computer Fraud and Abuse Act have been overused in ways that not only fail to protect privacy, but actually interfere with free speech and privacy.

The federal statute and every state prohibits accessing computers or a computer system without authorization, or in excess of authorization. The federal law also has as an element of the offense that the attacker has to have caused $5000 in damage, and damage is defined as interfering with the availability or the integrity of the system.

What does it mean to access a networked computer? Any communication with that computer, whether its simply one computer asking another “are you there”, or downloading trade secrets, transmits electrons to the other machine. Email, web visiting, even port scanning, which is querying a computer as to what programs it’s offering to network users, is access . One case has said that when I send an email, not only am I accessing your email server and your computer, but I’m accessing every computer in between that helps transmit my message.

What does it mean to act without authorization? Authorization comes from the owner of the targeted system. If the owner doesn’t want you to use the system, for whatever reason, its unauthorized. Cases say its unauthorized access to send unwanted email , to visit web pages using a borrowed username and password , to search published price data , to use a service after being notified to stop , or in contravention of the terms of a license agreement . Some courts have even held that accessing information you have permission to access is unauthorized if you are doing it counter to the interests of your employer . The Ninth Circuit says sending a patently invalid subpoena for email information is unauthorized access too.

In the federal law, the plaintiff or prosecutor must also show $5000 of damage. Its trivial to show damage when there’s a computer intrusion, but just a few hours of investigation time is worth $5000. But in privacy cases, since privacy is hard to value, there’s not enough damage. Thus, when people sued the ad company Doubleclick for putting cookies on their machines that tracked users web surfing, the court said that there wasn’t enough damage to meet the $5000 threshhold.

Perhaps state statutes would be more useful here, because most don’t have a $5000 threshold.

As a result of the unbelievable broad definition of computer crimes, Bret McDanel was convicted of violating section 1030 when he emailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company email server by sending emails, that the access was unauthorized, because the company didn’t want this information distributed and that the integrity of the system was impaired because lots more people (customers) now knew that the system was insecure. Despite the fact that this is obviously First Amendment protected speech, the trial court convicted and sentenced McDanel to 16 months in prison, which he served by the time the appeal was resolved. On appeal, the government realized it had done something wrong and voluntarily moved to vacate the conviction. It didn’t agree that McDanel didn’t violate the statute, but it argued that in order to convict, they would have had to show that McDanel distributed the information with the intent that a third party use it to breach the security of the messaging system. This isn’t in the statute, but is based on the government’s reading of First Amendment cases.

There’s a similar case in which the defendant was arraigned in Los Angeles on Friday. In this case, the defendant is a professional computer security expert who noticed that there was a problem with the way the University of Southern California had written its applicant web submission database program, and that problem allows an outsider to get ahold of applicants’ personal information, including social security numbers. For proof, the man copied a few of the personal records and anonymously sent them to a reporter, who notified the school. The school investigated and easily traced the testing back to the defendant. Defendant is said to have caused damage because the school had to spend $140K notifying people in the database that the database was insecure and someone might have accessed their records.

Security professionals are also afraid to use affirmative defense technology to protect their systems. There are tools that, if a computer is attacking you with a certain kind of worm or virus, will access that computer and install software to shut down the attack. This is unauthorized access. And, the attacking computer is most likely a zombie, an innocent person’s machine that is caught up in the worm attack.

In sum, the statutes are too broad, they interfere with computer security reporting, testing and self defense, and they don’t protect privacy.