Does the U.S. government read your email? It's a simple question, but apparently there's no simple answer. And the Justice Department and the Internal Revenue Service are reluctant to say anything on the topic.

In March, the American Civil Liberties Union caused a nationwide stir when the advocacy group released the results of its year-long investigation into law enforcement use of cellphone tracking data. After issuing hundreds of Freedom of Information Act requests, the ACLU learned that many local police departments around the country routinely pay mobile phone network operators a small fee to get detailed records of historic cell phone location information. The data tell cops not just where a suspect might have been at a given moment, but also create the possibility of retracing someone's whereabouts for months. In most cases, law enforcement obtains the data without applying for a search warrant; generally, subpoenas are issued instead, which require law enforcement to meet a lower legal standard.

ACLU lawyer Catherine Crump, who ran the cellphone location data investigation, is at it again. This time, she has filed similar Freedom of Information Act requests with several federal agencies, asking about their policies and legal processes for reading Internet users' emails.

"It's high time we know what's going on," Crump told msnbc.com. "It's been clear since the 1870s that the government needs a warrant to read postal mail. There's no good reason email should be treated differently."

---

There are hints that it is being treated differently, however. In a landmark 2010 case, United States v. Warshak, government investigators acknowledged that they read 27,000 emails without obtaining a search warrant, violating both the suspect's privacy and the privacy of everyone who communicated with the suspect, according to Crump.

Evidence obtained during that email search was thrown out on appeal by the 6^th U.S. Circuit Court of Appeals, but that ruling applies only to four U.S. states.

The case opened a window into what Crump fears is a widespread practice.

In the aftermath of the Warshak case, the Internal Revenue Service told its investigators that they should not try to obtain emails without a court order, but in doing so it hinted that other warrantless email searches had been conducted in the past.

For now, hints are all we have. Crump's Freedom of Information Act requests -- filed in February with the FBI, the IRS, the Justice Department's Office of Legal Counsel and other agencies -- were largely ignored, she says. So on June 14, she filed a lawsuit in the Southern District of New York in an attempt to force the agencies to comply.

"Four months have passed and I haven't gotten a single document," she said. "The American people have a right to know."

The federal agencies have until July 19 to reply to the lawsuit. The FBI is not included in the lawsuit because it replied recently denying Crump's request, saying it was too broad. The ACLU is appealing that determination through a different legal procedure.

Justice Department spokesman Charles Miller directed all questions about the matter to the agency's New York office. A spokeswoman for that office, Ellen Davis, said she couldn't discuss it. 

"We do not comment on ongoing litigation," Davis said in an email.

Julianne Breitbeil, a spokeswoman for the IRS, said federal privacy laws prevent the agency from discussing the lawsuit.

The Justice Department and the Obama administration had a chance to settle the issue in April 2011, during a Senate hearing on the Electronic Communications Privacy Act. Instead, officials with both the Commerce and Justice departments failed to provide any clarity. Instead, a Justice Department official argued against extending Fourth Amendment protections -- specifically strict warrant requirements -- to email, saying that doing so would hinder investigations.

"Congress should consider carefully the adverse impact on criminal as well as national security investigations if a probable-cause warrant were the only means to obtain such stored communications," James Baker, associate deputy attorney general, testified at the hearing.

Crump interpreted the testimony as indicating that warrantless email searches by federal agents are routine.

"It was disappointing when the Obama administration refused to commit one way or the other to obtaining a warrant," she said. "It leads me to suspect the federal government isn't getting warrants."

The 1986 Electronic Communications Privacy Act and its subsection, the Stored Communications Act, provides some guidelines for law enforcement review of email, but those are badly out of date now. They declare that federal authorities don't need a warrant for data that's stored externally (as opposed to locally, on a person's hard drive) if it's more than 6 months old. Given the ubiquity of services like Web-based Gmail, the 180-day distinction and the local vs. network storage issues are both now largely meaningless, and that's essentially what the 6^th Circuit Court found.

The discussion of requirements for email searches is more relevant than ever, given the explosion of social networks and their semi-private conversation tools and the coming of age of cloud services, where corporations are encouraged to keep all data in shared spaces that would fall under the Stored Communications Act. Concerned that such privacy issues would slow adoption of cloud services, a coalition of cloud-friendly companies calling itself "Digital Due Process," has argued for updates to the Electronic Communication Act that would require higher legal standards for digital evidence gathering.

A critical element of the email issue is a debate about whether the Fourth Amendment requires the government to get warrant based on probable cause in order to read a suspect’s email. To get a warrant, the government must appear before a judge, and convincingly argue that inspection a suspect’s email will probably turn up evidence of a crime.

"The warrant and probable cause requirement safeguard Americans' privacy in two important ways. Having to go to a judge means there is someone involved whose job it is to look out for the target's rights. And having to demonstrate probable cause will reduce the chances that innocent people have their communications read," Crump said.

The distinction is also important as the U.S. government plunges headlong into new high-tech surveillance technologies, such as its massive new million-square-foot "Utah Data Center," under construction in rural Utah for the National Security Agency. The facility is designed to help protect cyberspace, NSA official have said. But Wired Magazine published a cover story earlier this year arguing that the facility will be capable of monitoring every email and text message sent around the world -- including messages to and from U.S. citizens. It is scheduled to come online in 2013.

The NSA denies that the facility will be used to spy on Americans, but it's hardly far-fetched to surmise it will have such capabilities. 

Explosion of such technological capabilities is why clarifying digital Fourth Amendment rights is so critical, Crump said.

"No data is more personal than email correspondence," she said. "Email is deeply personal and private. It is an unfiltered view of our thoughts and a catalog of our relationships stretching back for years. Government agents should not be allowed to troll through all of our most private correspondence without proving to a judge that they have probable cause to believe that a search will turn up evidence of a crime."

 *Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

Why would the well-heeled suburb of Gilbert, Ariz., spend a quarter of a million dollars on a futuristic spy gadget that sounds more at home in a prime-time drama than a local police department?

The ACLU caused a stir Monday with its extensive report of cellphone surveillance by local police departments, which routinely request location information and other data from cellphone providers, often under vague legal circumstances.

But one bit of information provided by Gilbert officials suggests that cops sometimes try to cut out the middle man. Buried in the 380 public records requests sent by the ACLU is a response from Gilbert which indicates that the town purchased a device that allows it to track cellphones on its own for $244,195.

---

"The Gilbert Police Department obtained a $150,000 grant from the State Homeland Security Program," the agency wrote to the ACLU in response to a public records request. "These funds, along with $94,195 of R.I.C.O monies, were used to purchase cell phone tracking equipment in June 2008 (total acquisition cost of $244, 195)."

 

Gilbert didn't offer additional details about the device to the ACLU, and Chief of Police Tim Dorn didn't immediately respond to requests for comment.

But several surveillance experts said the device sounds like a gadget that's sometimes called a stingray.  

The stingray, made by Harris Wireless Products Group of Melbourne, Fla., lets users set up what amounts to a fake cellphone tower and trick all phones nearby into connecting with it. That data can then be used to track the physical location of anyone nearby carrying a powered-on cellphone -- even if the citizen isn’t on a phone call. A stingray can also register other data, such as the phone numbers dialed by all phones while connected to it. The device reportedly cannot record or intercept the content of a phone call, so it does not act like a wiretap.

Still, the stingray is at the heart of a hotly contested criminal case involving an identity thief named Daniel David Rigmaiden, who allegedly stole $4 million through a fake tax return scheme. Federal authorities used a stingray to find Rigmaiden in California in May 2008, then sent him to Arizona for trial.

Perhaps Gilbert was impressed with the result -- it says it acquired its device one month later.

In September 2011, a federal court in Arizona heard Rigmaiden's request to receive all details about the government's secretive use of the surveillance technology. Federal prosecutors are resisting disclosure because they say it will jeopardize use of the critical law enforcement technology in other cases.

Rigmaiden's case, as yet undecided, is largely seen as a test of the constitutionality of stingray and related police surveillance technologies. Would use of a stingray constitute a search, and thus require application for a time-consuming search warrant? Or do cellphone users give up their expectation of privacy by turning on a phone and carrying it in their pocket? The issues were discussed extensively in this recent Wall Street Journal story.

Use of a stingray-like device raises even thornier issues than cellphone records requests, said Catherine Crump, the lawyer who headed the ACLU project.

"I think when law enforcement starts purchasing technology that allows them to track cellphones in that manner, it raises a whole host of questions about how that technology is being used that are even more serious when they track people through carriers," Crump said. "At least when a carrier is involved, there's a third party that may raise concerns if the request is of questionable legality. But when a law enforcement agency can do on its own surveillance, that raises even more serious questions about whether there is appropriate oversight."

No other local police department that responded to the ACLU's public records requests mentioned purchase of a stingray-like device -- one other community mentioned borrowing such a gadget -- but Crump said that's because she didn't specifically ask about them.

"If I had to write the requests it over again, I would,” she said. “We didn’t realize how big an issue these devices were at the time. We know that there are others purchased by other agencies around the country, mainly from press reports."

The Miami police department, for example, asked Harris for a price quote in 2008. The firm's response is still on the city of Miami's website. A more extensive price list from Harris can be found at this website. 

A spokesman for Harris Wireless said the company didn't comment on clients' purchases and referred questions to Gilbert's Police Department.

The use of fake cellphone towers by law enforcement has caught on outside the U.S., too. Britain's Metropolitan Police, which serves the greater London area and is that nation's largest police force, began deploying similar technology provided by England-based Datong PLC last year, according to The Guardian. The disclosure began a round of debate about civil liberties in Britain.

Matt Blaze, a computer science professor at the University of Pennsylvania and an expert on stingray-like devices, said they are a mixed bag.

"Certainly these devices are powerful surveillance tools that, if misused, have the potential to be quite invasive against the privacy of innocent people," he said.  "But, then again, so do many other law enforcement investigative methods -- physical searches, hidden microphones, informants and so on. The question is how they are used, how often they are used and the oversight mechanisms in place to prevent and detect misuse."

Devices like stingrays are technologically limited in scope, however -- they can only monitor a limited physical area in real time -- so Blaze is less concerned about them than he is the revolving door of data between private companies and law enforcement.

"I'm less worried about law enforcement agencies with stingrays and other targeted surveillance gadgets than I am about location and other kinds of tracking through the carriers, especially when done without strong legal oversight or without probable cause," he said. "While I do worry about abuse of these kinds of electronic surveillance devices, the fact that they are inherently rather targeted in what they can collect acts as something of a built-in safeguard. I'm more concerned, in the long run, about large-scale surveillance capabilities being included in our communications infrastructure."

Still, privacy researcher Chris Soghoian – who has written extensively on law enforcement use of cellphone technology for surveillance – said police use of the stingray device is among the most troubling privacy developments in years. Some phone companies allow police officers to use a website to download customers’ GPS location data easily, “from the comfort of their own desks,” he said, and charge as little as $5 for the information. With phone company record access that easy and inexpensive, there’s no need for stingray, he argued.

“The real issue is that this device is about allowing police to perform surveillance when the phone company would say no,” said Soghoian, who is Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University. “This is not about saving time and money … it’s about the fact that there’s no one to insist that the law be followed when a stingray is used.”

 *Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter. 

A 12-year-old Minnesota girl was reduced to tears while school officials and a police officer rummaged through her private Facebook postings after forcing her to surrender her password, an ACLU lawsuit alleges. 

The claims are the latest in a string of tales showing that even password-protected, private online activities might not be safe from curious government agencies and schools. (See last week’s story)

The girl, whose identity is withheld in the lawsuit, came home "crying, depressed, angry, scared and embarrassed" after she was intimidated into divulging her login information by a school counselor and a deputy sheriff, who arrived in uniform, armed with a Taser, the lawsuit alleges.

"(The student now) fears that the school could make her give up her passwords at a moment's notice, at any time, for any reason," the lawsuit claims.  It also alleges that password prying is standard practice at the Minnewaska Middle School, which the student still attends. "(Officials) have compelled other students to disclose their private information and have accessed students' online accounts on multiple occasions," it states.

---

Officials at the Minnewaska Area School District -- which is about 125 miles northwest of Minneapolis -- say the ACLU's version of events is "one-sided," and that the school acted to "prevent disruption," according to a statement e-mailed to msnbc.com by Superintendent Gregory Ohl. 

"The district is confident that once all the facts come to light, the district's conduct will be found to be reasonable and appropriate," it said.  

When asked if the district has obtained other students’ login information, he responded, “We feel this is not accurate.”

The lawsuit raises the complicated -- and quite unsettled -- legal quandary that balances students' constitutional rights with schools' needs to maintain order and a positive educational environment. For example, can schools punish students who publicly criticize school officials on their own time using social networks?

Federal district courts have handed down contradictory decisions on that issue. Facing a chance to settle the matter, the U.S. Supreme Court in January declined to hear three cases on the issue.

But private social media criticism, intended only for a limited audience behind a password or a privacy wall, raises a different legal issue, said Teresa Nelson, a lawyer for the ACLU in Minnesota.  

"The notion that it was a search of her private Facebook content ... the Fourth Amendment applies," she said.  "The government has to have a really good reason to do that kind of search," and would need a court order in most cases, she said.

Monitor 'was mean to me'
According to the ACLU's version of events, the girl had moved and entered a new school as a 6th-grade student in the fall of 2010. In early 2011, she felt targeted by a school monitor and posted an update to her friends-only Facebook wall saying she "hated" the monitor because "she was mean to me," using her own computer and while off campus.

Soon after, she was called into the principal's office -- he had obtained a screen shot of the post -- and given detention.

The student subsequently posted another update to her page related to the incident: "I want to know who the f%$# told on me," the complaint says. Again, she was called to the principal's office, and this time was suspended for "insubordination" and banned from a class ski trip.

In March, the student had a second run-in with school authorities.  The parent of another student had complained that the girl was talking about sex with that student.  The 12-year-old was called out of class by a school counselor and eventually brought into a room with several school officials and the sheriff's deputy, where the password demands began.

The ACLU claims that the school never asked the girl's parents for permission to examine her private Facebook space. The school district doesn't dispute that it obtained the girl's password, but does say it had parental permission.

"Any viewing of (the student's) Facebook account was done with the express consent of her parents," it said in the statement to msnbc.com.

In the First Amendment fight over online criticism related to school, districts and parents are relying on legal interpretations of an outdated 1969 Supreme Court decision knows as “Tinker,” which gives students wide latitude to criticize.  That decision famously gave us the phrase, "Students don't shed their constitutional rights at the school house gates."  The opinion offers little guidance about rights on the other side of a firewall or a Facebook password, however.

The Tinker case basically found that students can say what they want as long as the speech doesn't cause a disruption at school.  But can a school's ability to punish students extend to activity conducted entirely off school grounds?

Dozens of cases over the last decade have failed to hash out the online version of this debate.  In one, a Pennsylvania student who was suspended for making a MySpace page that mocked a principal was granted a reprieve because the U.S. Court of Appeals found it wasn't disruptive. In another, a West Virginia student's suspension was upheld after she created a MySpace page where students were encouraged to discuss if a fellow classmate had herpes. 

Legal confusion
Even though the National School Boards Association asked the U.S. Supreme Court to hear appeals on these two cases in an attempt to break what seems like a legal tie, the nation's top court demurred, leaving behind a lot of legal confusion.

"Things are complicated," said the ACLU’s Nelson. "Kids have been criticizing school officials since there have been school officials. ... If kids had been venting about teachers at McDonald's no one would care."

One important distinction noted by Nelson: While she believes demands for a student's Facebook password were a clear Fourth Amendment violation, there's no constitutional issue raised by a school official learning about a private communication that's volunteered by another student. In other words, students' private Facebook chatter is only as private as the participants make it.

The ACLU of Minnesota offers a rights handbook to students who use social media. While it's specifically applicable only to Minnesota law, its principles are universal.

The pamphlet notes that while school officials in most cases cannot force students to reveal their Facebook login information, officials can search for evidence of violations "if they have reasonable individualized suspicion" about an ongoing violation of school rules. 

And while free speech rights may prevent schools from banning students from classes because of non-disruptive but critical Facebook posts, those legal protections do not extend to extracurricular activities. In other words, football players and math club members can be kicked off their squads for anything a school official deems against policy.

It's important to note that while Facebook's terms of service say members cannot give out their passwords or otherwise allow others to view private areas of their accounts. But those same terms say members must be 13 years old to join.

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.