In October, the Arizona Republic, CNN, the New York Times, and practically every other large news organization in the country reported that a special prosecutor appointed by Maricopa County Attorney Andrew Thomas had filed a grand jury subpoena against New Times in August, demanding the newspaper hand over the Internet Protocol (IP) address of every computer whose user visited phoenixnewtimes.com since January 1, 2004 (each home computer, and many business computers, have separate IP addresses that act like fingerprints on each site they visit).
The subpoena also demanded to know, for every page visitor who accessed the Web site, "information obtained from 'cookies,' including, but not limited to, authentication, tracking, and maintaining specific information about users (site preferences, contents of electronic shopping carts, etc.)"; the type of browser and operating system the visitor was using; and even the Web site the visitor had been to before viewing phoenixnewtimes.com.
What that means is Thomas wanted to know if you read our paper online. He wanted to know what stories you read, what restaurant listings you looked up, which concert listings and blog posts you read on our site. He wanted to know what other Web sites you visited before you came to our site, and whether you purchased anything on those sites. And he wanted to know what you purchased.
To translate this from the digital realm to its brick-and-mortar equivalent, put it this way: If you picked this paper up from one of our boxes on the street, Andrew Thomas wanted to know your address. He wanted to know if you are reading this article, and any other articles in this paper. If you picked up this paper at a supermarket, the county attorney wanted to know the contents of your shopping cart — Doritos, Cheez Whiz, loaf of bread — everything. And when you put down this paper and went on to read something else — Newsweek, Playboy, the Bible — he wanted to know that, too.
The subpoena came in response to a 2004 New Times story detailing Maricopa County Sheriff Joe Arpaio's hidden commercial real estate holdings. The sheriff invested $790,000 in cash into various real estate properties but hid the details by utilizing an arcane statute that allows law enforcement to mask their home address for security reasons. Arpaio had additional commercial investments of which there were no financial details.
The original story ran down the list of Arpaio's properties and asked two questions: How does a public servant making $78,000 plus a DEA pension come by that sort of cash? Why is the sheriff hiding commercial transactions?
While printing Arpaio's address in the course of this investigation did not present a problem, putting the story on our Web site with his home address was a low-level felony.
Three years after the infraction, county authorities used the violation as the leverage to issue grand jury subpoenas against the paper, its writers, and its readers.
Arpaio has a history of vindictiveness, detailed in Sarah Fenske's New Times cover story "Enemies List" (November 29), which kicked off our "Target Practice" series that continues in this issue. Deputies say the sheriff even used to carry around a list of his "enemies" — those who had supported his political rivals. Now, instead of a slip of paper, Arpaio, Thomas, and their office look to the Internet to do their legwork by searching for the IP addresses of anyone who may have read anything negative about them.
What those law enforcement officials would have done with the names and IP addresses of the thousands of American citizens who had read New Times articles critical of Arpaio is anyone's guess.
New Times responded by publishing the subpoena on October 18 ("Breathtaking Abuse of the Constitution"). Doing so put the paper at legal risk. The paper's owners, Jim Larkin and Michael Lacey, who authored the subpoena story, were arrested shortly after the paper hit the streets. Internet users from around the world left comments on phoenixnewtimes.com, offering up their IP addresses in a show of solidarity against the blatant abuse of power.
After stories in national media detailed the egregious reach of the subpoena, Thomas held a press conference, wrapped himself in the very same Constitution he was trampling on the day before, and announced that the county was dropping the case against the paper.
But New Times' investigation reveals that the county attorney and the sheriff are increasingly targeting computers and online activity in their investigations. As troubling as this emerging threat to the Constitution is, it is equally disturbing that the authorities do not understand the technical nature of the data they seek.
New Times has uncovered numerous instances of law enforcement officials using digital means to attempt to identify political opponents, adversaries, and people who might not agree with them.
In November 2006, sheriff's deputies raided the home of Christy Fritz and confiscated four of her computers. Fritz had designed a mailer for a Democratic candidate running against Republican Representative Jim Weiers. In a photo on the mailer, a Maricopa County Sheriff's Office logo was visible. The deputies' search warrants stated that the emblem may have been stolen — and used that suspicion to take the computers, which contained information about numerous political rivals of Arpaio's.
The seizure of the computers and law enforcement's copying of the data on their hard drives intimidated those associated with the Democratic candidate running for office. The candidate, the campaign manager of the candidate, the graphic designer of the campaign brochure, and even their lawyer, Kyrsten Sinema — herself a state representative — refused to comment out of fear of the consequences.
Even people within Arpaio's own department are not immune. In 2002, Deputy Kelley Waldrip spoke with a New Times reporter looking into possible misuse of funds at the Sheriff's Office. When Arpaio discovered that Waldrip had talked to a reporter, he became angry; Waldrip announced his retirement soon thereafter. Arpaio still saw the deputy as a threat, and his office contacted Waldrip's subsequent employer demanding it hand over Waldrip's IP address. (Knowing Waldrip's work IP address would have given Arpaio a building block to track his activities online).
What makes law enforcement's interest in computers so dangerous is its utter lack of competence in dealing with them.
In 2004, Maricopa County officials arrested a 16-year-old boy for having 10 images of child porn on his computer. In claiming he had never seen the photographs before, he passed two lie detector tests. It was discovered that the computer had been infected with hundreds of spyware and backdoor Trojans, which can hijack your computer via legitimate Web sites and open up your hard drive for someone to store illegal images without your knowledge. Those interested in child porn often use this method to store their illegal images on unsuspecting computers. A British man was cleared of all charges of possessing child porn on his computer in 2003 after authorities discovered a backdoor Trojan on his computer.
Yet the county's computer "expert" did not check the computer for viruses. Thomas was dead set on sending the kid to prison for 90 years.
Thomas went on an ABC news program to explain the case in a January interview with reporter Jim Avila.
Avila: Your expert was not an expert who . . . who did any analysis whatsoever . . .
Thomas: Well . . .
Avila: As to where it came from. All your expert did was say it's here.
Thomas: Well, right.
Ironically, the only thing Thomas was able to get out of the case was decidedly un-digital. The kid ended up taking a plea to a charge of bringing a Playboy magazine to school and showing it to other 16-year-olds.
"Whatever happened in his case, uh . . . Presumably we'll never know because, uh, we . . . we haven't been able to . . . to fully get to the bottom of that," Thomas explained on ABC. "But, uh, an important lesson was taught here."
On a federal level, a case recently came to light that echoes the abuse of power occurring in Arizona. The FBI demanded that online retailer amazon.com hand over the identities of customers who purchased books from a specific, prolific, online used-book seller via Amazon. Amazon refused, and the FBI took it to court, where U.S. Magistrate Judge Stephen Crocker said, in a sealed ruling, that the FBI was out of bounds. Amazon fought to have the ruling unsealed, which it finally was in November, amid strong objections from the prosecutors.
"It is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else," Crocker wrote.
It is also unsettling that prosecutors would seek to hide the words of Judge Crocker.
"Litigants are used to a world of casting broad nets," says Matt Zimmerman in describing prosecutors. Zimmerman is a lawyer for the Electronic Frontier Foundation, a nonprofit civil liberties advocacy group.
But as we continue to communicate online, so much of our information is being stored, especially by intermediaries such as search engines. We will continue to see the government and private entities trying to get information that should remain private unless legislation is passed to stop it. And there are no serious pending proposals in Congress to stop this.
"Sometimes you need public embarrassments to change laws," says Zimmerman.
One of the best examples of this is the Robert Bork video-store case.
In the middle of Bork's Supreme Court nomination process in 1987, a newspaper published Bork's video-rental history obtained from his local video store. The list contained mainstream movies like Ruthless People and The Man Who Knew Too Much, but its publication put the fear of God into Congress. What if reporters started looking into their video-viewing habits? The results might not be so benign. So, in 1988, Congress passed the Video Privacy Protection act, which prevents "wrongful disclosure of video tape rental or sale records."
"It is one of the most robust pieces of privacy legislation," says Zimmerman.
There is no such robust privacy protection for the Web.
When the executive editor and CEO of New Times and Village Voice Media were arrested, the law was not on their side. Andrew Thomas fired special prosecutor Dennis Wilenchik because the public rose up and raised hell about this attack upon the constitutional rights of newspaper readers.
Supreme Court Justice Thurgood Marshall wrote in 1969, regarding the Stanley vs. Georgia case, which protected an individual's right to view pornography, "If the First Amendment means anything, it means that a State has no business telling a man, sitting alone in his own house, what books he may read or what films he may watch. Our whole constitutional heritage rebels at the thought of giving government the power to control men's minds."
Freedom of the press must go hand in hand with our right to privacy, which, while not mentioned specifically in the Constitution, has been upheld numerous times in the Supreme Court, in cases ranging from access to information on contraceptives to child-rearing. "Any right doesn't exist if the incursion on that right goes unchallenged," says Bob Corn-Revere, a First Amendment attorney in Washington. Not only should New Times be allowed to write anything it wants, you should be allowed to read it, and other people should not have the right to know what you are reading.
"A fair reading of the Fourth Amendment should protect against these unreasonable searches and seizures," says David Bodney, a First Amendment lawyer and former New Times staffer. "Any attempt by the government to reveal the reading habits of an individual is tantamount to compelling a person to testify about the same thing."
The problem in the digital age is that we are not the only ones who know you have come to our Web site and read our articles. If you were to go on Google and do a search for "Arpaio New Times," Google will know your IP address and will know if you clicked on the link to a specific story about Arpaio written by New Times. Even if newspaper Web sites don't give up that information, that would not stop intermediaries, such as Google or Yahoo, from giving up that information. And few companies holding this information are run by owners willing to go to jail to protect your rights.
Or the government could subpoena all searches, but let search engines keep the IP addresses that would identify your computer. Sounds okay, right? But by using some deduction, authorities could match up identities to a specific set of searches. How many times have you Googled you own name? Match that up with the load of search terms you have used over the past month, from looking for restaurants near your house, to searches related to work, and a detective could get a pretty good idea of who you are, and what you have read online. Last year, AOL released search logs of 650,000 anonymous users. It wasn't long before bloggers and journalists were able to connect the dots and identify users based on their search sets, including searcher 4417749, whom the New York Times pegged as Thelma Arnold, a 62-year-old Georgia woman who, we all now know, has a dog that "urinates on everything" and is interested in "60 single men," thanks to knowing her search results.
Google is thumping its chest over its recent decision to "anonymize our server logs (which include IP address, search query, time and date) after an 18-month period by, among other things, removing a portion of the IP address associated with each log entry," according to a Google spokesperson.
That's good, but it still leaves your IP address on Google for 18 months.
And what about e-mail? If a whistleblower at a government agency were to send a media organization a tip, he probably wouldn't do it with his work e-mail, instead choosing the anonymity of a Gmail or Yahoo account. But Google keeps copies of Gmail messages on its servers for 60 days, even after you've deleted them and emptied the trash from your account.
So, if a court had an inkling that someone sent information to a newspaper, they could bypass subpoenaing both the individual and the newspaper, and go to the third-party source like Google, which would then decide whether to give up the information. Google fought an excessive Department of Justice subpoena last year, but it doesn't mean they are willing to fight the good fight each and every time.
"In order to protect the privacy of the parties involved," a Google representative tells New Times, "we don't comment publicly on the nature or quantity of subpoenas we receive or the specifics of whether and how we comply with such requests."
Not very reassuring, is it?
"People need to recognize the use of e-mail as a potentially dangerous way of communicating," lawyer David Bodney says. "[Internet service providers] and third parties should rigorously protect information, including the reading habits of users. [But] it's almost impossible for third parties [like ISPs and search engines] to guarantee that your information will not fall into the hands of someone you do not want it to."
Sending a handwritten letter is, by far, safer than sending an e-mail, in terms of privacy. "We as a society should guarantee e-mail users the same protections we give to the post," Bodney says. "It's a crime to open someone else's mail, and it should be the same with e-mail. This is a great example of the law lagging light years behind technology."
Says New Times' First Amendment lawyer, Steve Suskin, "Just because the founding fathers didn't have computers doesn't mean they wouldn't be appalled by the government abusing the First Amendment rights to free speech, and our right to privacy."