While preparing to teach a recent class about search warrants for digital devices, I spoke with a number of experts in digital forensics. Each conversation was very helpful. Almost all of them touched on an issue I’d never previously considered: whether search warrants for cell phones do or may include the authority to search connected cloud services. Continue reading
Tag Archives: stored communications act
Last year, a panel of the Fourth Circuit decided United States v. Graham, 796 F.3d 332 (4th Cir. 2015). The panel ruled that “the government conducts a search under the Fourth Amendment when it obtains and inspects a cell phone user’s historical [cell site location information (CSLI)] for an extended period of time. . . . Its inspection by the government, therefore, requires a warrant, unless an established exception to the warrant requirement applies.” I discussed Graham here and here. Last week, the en banc Fourth Circuit reversed the panel, ruling that under the third-party doctrine, a cell phone subscriber has no reasonable expectation of privacy in historical cell site location information that he or she shares with a service provider, so it isn’t a Fourth Amendment “search” when law enforcement obtains such information, and a warrant isn’t required. The en banc opinion is here. This post discusses the opinion and considers the possibility of Supreme Court review or action by Congress. Continue reading →
The Fourth Circuit just decided United States v. Graham, an important case about law enforcement access to cell site location information (CSLI). This post summarizes the case, explains its importance for North Carolina proceedings, and puts it in context in the broader debate about this type of information. Continue reading →
On Tuesday, the Eleventh Circuit ruled, en banc, that law enforcement may obtain historical cell site location information without a search warrant, using a court order based on less than probable cause. There’s a controversy over what legal standard should govern law enforcement access to location information, and the Eleventh Circuit’s ruling is likely to be influential in the debate. This post explains the issue and puts the new decision in context. Continue reading →
Maybe so, according to a recent Reuters report. Apparently, the Special Operations Division of the DEA receives information from the NSA and passes it to DEA field agents. The agents then begin criminal investigations based on the information. There are two possible problems with the program described by Reuters.
End run around privacy protections. First, the NSA collects huge amounts of data under permissive legal standards because the data is gathered in the interest of national security. Allowing that data to be used for domestic law enforcement purposes, where a higher legal standard applies to data collection, could amount to an end run around the privacy protections that apply in the criminal justice system. As a Washington Post blog notes here, the NSA-DEA pipeline may “break down the barrier between foreign counterterrorism investigations and ordinary domestic criminal investigations.” It’s hard to analyze this issue further without specific information about what types of data are being collected and shared. Some data is more protected – under the Fourth Amendment and under federal statutes such as the Stored Communications Act – than other data, and the Reuters story lacks detail about the nature of the information provided by the NSA.
Falsification of evidence. Second, the DEA agents who receive the information apparently are “directed to conceal how such investigations truly begin.” Reuters explains:
A former federal agent . . . described the process. “You’d be told only, ‘Be at a certain truck stop at a certain time and look for a certain vehicle.’ And so we’d alert the state police to find an excuse to stop that vehicle, and then have a drug dog search it,” the agent said. After an arrest was made, agents then pretended that their investigation began with the traffic stop, not with the SOD tip, the former agent said. The training document reviewed by Reuters refers to this process as “parallel construction.”
This seems to me to be very serious. The implication is that DEA agents are preparing false reports about the chronology of their investigations, giving false information to prosecutors (who in turn may provide false information to the defense in discovery), and testifying falsely at trials, all to conceal the true source of their investigations.
How things should work. The impulse to protect the source of the information is understandable. Officers often have good reasons for wanting to conceal the origins of their investigations. For example, they may want to conceal the identity of a confidential informant who initiated a drug transaction in the hopes of using the same informant again in the future. Here, the DEA may want to hide the existence and the reach of the NSA’s surveillance programs, because revealing those things might prompt the subjects of the programs to alter their behavior and evade surveillance.
But the proper way to handle those concerns is not to falsify reports and mislead the parties and the court. It is to ask a judge to enter a protective order shielding the sensitive information from discovery. The judge can balance the legitimate concerns of law enforcement against the interests of the defendant, such as learning whether the source of the information was reliable, whether the information contained any exculpatory material, and whether the information was obtained in violation of privacy protections. Balancing the need for secrecy against other interests is a process with which courts are very familiar. See generally Pennsylvania v. Ritchie, 480 U.S. 39 (1987) (requiring courts to review sensitive documents such as DSS records in camera when they are potentially relevant to a criminal case, as a way of protecting both the defendant’s right to exculpatory material and the need for confidentiality in such records); United States v. Nixon, 418 U.S. 683 (1974) (ruling, in a prosecution of former government officials for obstruction of justice, that the prosecutor’s need for the President’s tape recordings and documents outweighed the President’s interest in the confidentiality of the materials where national security considerations did not appear to be at stake); Roviaro v. United States, 353 U.S. 53 (1957) (in a drug prosecution, the Court ruled that the defendant’s need to know the identity of an informant who allegedly participated in a drug transaction with the defendant outweighed the Government’s interest in protecting the informant’s identity).
What’s next? The DOJ says that it is “looking into” the story. Good. Perhaps the story is inaccurate or perhaps there are non-obvious reasons that justify the behavior the story describes, but at this point, the story appears to have exposed a genuinely pernicious practice.
I wrote here about how law enforcement officers may obtain historical information about the location of a suspect’s cellular phone. There have been several developments in the law since then, including earlier this week when the Fifth Circuit rendered its decision in In re Application of the United States of America for Historical Cell Site Data.
Summary of Prior Law. Law enforcement usually seeks historical cell site location information under the Stored Communications Act, 18 U.S.C. § 2701 et seq. The SCA generally prohibits providers of “electronic communications services,” such as cellular telecommunications companies, from disclosing subscribers’ records or other information absent appropriate legal authority. 18 U.S.C. § 2702(a)(3). What legal process is necessary? Under 18 U.S.C. § 2703(c)(1), law enforcement may obtain a “record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications)” by obtaining a search warrant or by obtaining a court order. Officers tend to prefer to seek a court order, because the standard for issuance is lower. To obtain a court order, the applicant need only present “specific and articulable facts showing that there are reasonable grounds to believe that the . . . records or other information sought, are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d). This showing is less than the probable cause required for a search warrant.
Most courts have found no Fourth Amendment problem with this statutory scheme because the subscriber voluntarily conveys his or her location to the cellular service provider by choosing to have a cellular phone and to turn the phone on. Cf. Smith v. Maryland, 442 U.S. 735 (1979) (no expectation of privacy in telephone numbers dialed, because the numbers are conveyed voluntarily to the phone company). On this view, by requiring a court order, the SCA actually provides more protection than the Constitution requires.
Origins of the Fifth Circuit Case. The Fifth Circuit case began when “the United States filed three applications under § 2703(d) of the Stored Communications Act . . . seeking evidence relevant to three separate criminal investigations. Each application requested a court order to compel the cell phone service provider for a particular cell phone to produce sixty days of historical cell site data and other subscriber information for that phone.” The applications were submitted to a federal magistrate judge, who “granted the request for subscriber information but denied the request for the historical cell site data,” even though the Government met the “specific and articulable facts” standard. The magistrate judge concluded – contrary to the conventional analysis set forth above – that cell site location information was subject to a reasonable expectation of privacy, and that “warrantless disclosure of cell site data violates the Fourth Amendment.” The district court judge agreed, and the Government appealed.
The Fifth Circuit’s Ruling. In a 2-1 decision, the court ruled for the Government. The majority endorsed the conventional view of the Fourth Amendment issue. It stated that subscribers are aware that their cell phones are communicating with cell towers, and that service providers may record that information. When the Government “merely comes in after the fact and asks a provider to turn over records the provider has already created,” it is obtaining the provider’s records, not the subscriber’s, and is obtaining information that the subscriber has voluntarily conveyed to the provider. Under Smith and other “business records” cases, this does not intrude on the subscriber’s reasonable expectation of privacy.
National Context and Impact on North Carolina. Whether law enforcement access to location information collected by cellular service providers implicates the Fourth Amendment is a hot question right now, fueled in part by the Supreme Court’s ruling on the related issue of GPS tracking in United States v. Jones, 556 U.S. __ (2012) (holding, as I discussed here, that “the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search’”). For example, the New Jersey Supreme Court just ruled unanimously in State v. Earls, __ A.3d __, 2013 WL 3744221 (July 18, 2013), that the New Jersey Constitution generally requires a warrant before obtaining cell site location information. The Third Circuit ruled a few years ago that judicial officials may, but are not required to, require a showing of full probable cause rather than merely specific and articulable facts before issuing an order for disclosure of historical cell site location information. In re Application of the United States, 620 F.3d 304 (3d Cir. 2010). And several similar cases are pending in other federal appellate courts, including the Fourth Circuit. (Readers interested in the Fourth Circuit case can check out this brief, signed in part by IDS Director Tom Maher in his capacity as Vice Chair of the NACDL’s Fourth Circuit Amicus Committee.)
There’s no case on point from our appellate division. A North Carolina judge considering an application for cell site location information is bound by none of the above cases, but may be persuaded by any of them. Unless and until the United States Supreme Court or a North Carolina appellate court rules on these issues, they remain open questions. Because there is at least some uncertainty about the Fourth Amendment issue, a cautious officer may prefer to use a full probable cause warrant or order rather than a specific and articulable facts order when possible.
Further Reading. The New York Times has a story about the Fifth Circuit case here. Leading network surveillance scholar Orin Kerr, who was involved in the case as an amicus, analyzes the opinion here.
I’ve written about law enforcement access to electronic communications, both on this blog and, more extensively, in this Administration of Justice Bulletin. One major issue is how and when law enforcement can obtain a suspect’s email from the suspect’s email provider. There are lots of wrinkles, but broadly, there’s a federal statute called the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., which generally has been viewed as governing this question. And the statute, in many cases, allows officers to obtain emails using a simple subpoena, or a court order issued on a showing of “reasonable grounds,” i.e., less than probable cause.
As I observed in the above-referenced Bulletin, there’s room to wonder whether it is constitutional for law enforcement to access an individual’s email without a search warrant issued on probable cause. In other words, one might ask whether the SCA violates the Fourth Amendment. The Sixth Circuit just became the first federal appellate court to answer that question. It did so emphatically, in an interesting case called United States v. Warshak, __ F.3d __ (6th Cir. 2010).
The defendant ran the company that sold Enzyte, a “nutraceutical” claimed to enhance penis size and sexual performance. He was convicted of many federal crimes; the essence of the prosecution was that the defendant defrauded his customers to the tune of $250 million per year. Although completely irrelevant to the legal issue presented in this post, I can’t resist highlighting a few of the facts of the scam. (1) Advertising for the product “cited a 2001 independent customer study, which purported to show that, over a three-month period, 100 English-speaking men who took Enzyte experienced a 12 to 31% increase in the size of their penises.” But there was no study; an employee of the company “plucked the numbers out of the air.” (2) Likewise, claims of a “96% customer satisfaction rating . . . [were] totally spurious” and entirely fabricated. (3) The assertion that the product “was developed by Dr. Fredrick Thomkins, a physician with a biology degree from Stanford and Dr. Michael Moore, a leading urologist from Harvard . . . [and] that the doctors had collaborated for thirteen years” was also, um, not supported by the facts; the universities in question confirmed that neither “physician” existed. (4) Surprisingly, some customers were not satisfied with the product and requested refunds. Company policy was to make this “as difficult as possible.” Indeed, “[a]t one point, Enzyte customers seeking a refund were told they needed to obtain a notarized document indicating that they had experienced ‘no size increase.'”
Several issues were raised on appeal, but the one that is relevant for present purposes concerns investigators’ use of the SCA to obtain the defendant’s emails from his ISP. Pursuant to 18 U.S.C. § 2703, the government used a subpoena to obtain some of the emails, and an ex parte court order to obtain others. The defendant moved to suppress the emails prior to trial, arguing that he had a reasonable expectation of privacy in them; that they were protected by the Fourth Amendment; and that the government should not have been able to obtain them without a search warrant based on probable cause. The motion was denied by the district court.
The Sixth Circuit, holding that “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish,” ruled that email must be protected just as much as traditional mail. And notwithstanding the fact that physical letters are entrusted to an intermediary – i.e., the post office – they are the subject of a reasonable expectation of privacy and may not be intercepted without a warrant:
[T]he police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber’s emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.
Slip Op. at 20 (internal citations omitted). The court rejected the government’s argument that the defendant’s emails were not private because the ISP’s subscriber agreement allowed it to access the emails under certain circumstances, noting by analogy that a cleaning person’s right to enter a hotel room occasionally doesn’t defeat a guest’s expectation of privacy. (The court did suggest, however, that an unusually sweeping right of access in a subscriber agreement might be viewed differently.) The court also distinguished United States v. Miller, 425 U.S. 435 (1976) (holding that a bank depositor does not have a reasonable expectation of privacy in the contents of bank records, checks, and deposit slips), because (1) it viewed the contents of email as more private than “simple business records,” and (2) an ISP, unlike a bank, is an intermediary, not the intended recipient of the communication. The court concluded:
The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.
Slip Op. at 23. Nonetheless, the court ruled that the defendant’s motion to suppress was properly denied, holding that the officers’ reliance on the provisions of the SCA was in good faith. The SCA was not “so conspicuously unconstitutional” that the officers should have doubted its validity. Applying the exclusionary rule in this circumstance, therefore, would serve no purpose.
The Electronic Frontier Foundation, which filed an amicus brief in the case, likes the decision. Leading commentator Orin Kerr thinks it is “quite persuasive and likely to be an influential decision going forward.” I suspect that the Department of Justice views the matter differently, but I couldn’t locate any public statement on the matter. A critical but as yet unanswered question is how ISPs located outside the Sixth Circuit — which is to say, most ISPs — will respond to government requests under the SCA after Warshak. Likewise, it will be interesting to see whether Warshak prompts Congress to revise the SCA. It’s starting to look like I may need to revise my Bulletin, in any event, as changes in this area of the law continue to pile up.
As I mentioned last week, I have a new publication entitled Prosecution and Law Enforcement Access to Information about Electronic Communications. It’s meant to be useful on a range of topics, from phone records and wiretapping, but the most detailed discussion concerns email, text messages, and other stored electronic communications. The very, very simplified version of that section of the paper is that the state can access that type of evidence with a search warrant, and perhaps, in some cases, by other means. In my post announcing the paper, I promised to write about defense access to stored electronic communications, a topic not addressed in the publication. Here I am, making good.
Let’s take a specific example. How, if at all, may a defendant charged with rape access emails that the complainant sent from her Yahoo! email account to a friend, where there is reason to believe that (1) the emails remain on Yahoo!’s servers and (2) the emails may be exculpatory, because they may suggest that the encounter was consensual? (Remember, if the state were seeking the defendant’s incriminating emails to his brother, it could obtain them with a search warrant directed at the defendant’s email service provider, or maybe even with lesser process.)
The short answer is, the defendant can’t access the emails.
Of course, if the complainant still has access to the emails, the defendant can subpoena them from her. But if she doesn’t — for example, if she’s deleted them — or if she isn’t forthcoming with them, the defendant probably can’t obtain the emails from Yahoo!. Under 18 U.S.C. § 2702, most communications service providers, “shall not divulge . . . the contents of” electronic communications except in specified circumstances. None of the enumerated circumstances apply to the defendant’s situation; there is no general exception for compliance with subpoenas or court orders, which are the types of instruments that the defendant would normally employ in pursuing evidence. By contrast, 18 U.S.C. § 2703 provides for compulsory disclosure to “governmental entit[ies]” with appropriate process.
A number of courts have held that the specific nondisclosure command of the statute trumps instruments like subpoenas and court orders, and simply doesn’t allow criminal defendants (or private civil litigants, for that matter) to access stored email from service providers. Apparently, most email providers are, understandably, following these cases and are refusing to produce stored emails in response to defendants’ subpoenas and court orders. A good collection of cases on point appears in Thayer v. Chiczewski, 2009 WL 2957317 (N.D. Ill. Sept. 11, 2009), while a case applying the law to bar a criminal defendant from compelling a service provider to give him his own stored email is United States v. Amawi, 552 F.Supp.2d 679 (N.D. Ohio 2008). A useful law review article discussing this issue is Marc J. Zwilliger & Christian S. Genetski, Criminal Discovery of Internet Communications . . ., 97 J. Crim. Law & Criminology 569 (2007), available online here. (That makes two useful law review articles I’ve seen this year, counting this one.)
There are a couple of possible avenues of recourse for our hypothetical defendant. First, because an email provider can produce stored communications with the consent of the account holder, our defendant could try to convince the complainant to consent. Or, he could try to get a court to order her to consent. (There’s a robust debate in the cases about the propriety of that, which I won’t summarize here, but it may be worth a try.) Next, he could try to persuade the prosecution to obtain the email on his behalf. Finally, he could try to argue that the federal statutes are unconstitutional, perhaps on due process grounds, to the extent that they put a class of evidence completely off-limits to him — especially a class of evidence that the prosecution can access. There might be something to that argument, though there aren’t any reported decisions on point, presumably because, to date, defendants have been able to get by using the other methods suggested above.
I’m keen to hear about real-world experiences with this issue. As always, feel free to post a comment or to contact me off-blog.