Chapter 7
Surveillance and Cyber

CHAPTER MENU

  1. Fourth Amendment
  2. Electronic Communications Privacy Act
  3. Communications Assistance for Law Enforcement Act (CALEA)
  4. Encryption and the All Writs Act

 

Any examination of cybersecurity law would be incomplete without an examination of the constraints that both the government and private companies have on monitoring networks and sharing information. From the Fourth Amendment's prohibition on unreasonable searches and seizures to the Cybersecurity Act of 2015, both the government and companies face significant constraints on monitoring electronic traffic, even if the intentions are to protect networks and users.

As discussed throughout this book, cybersecurity involves more than just preventing viruses and malware from infecting systems or flooding networks with denial of service attacks. Cybersecurity involves efforts by both the private and public sector to secure the Internet and computer systems and to fight cybercrime. This chapter focuses on the tools – and limits – that U.S. government entities have to conduct cyber operations.

This chapter first examines U.S. legal restrictions on government and private sector surveillance. We first begin with a discussion of the Fourth Amendment's application to electronic content, and the general prohibition on warrantless searches and seizures by the government and government agents. We then examine the Electronic Communications Act and its three components: (1) the Stored Communications Act, which restricts government and private sector access to communications and data that are stored on servers and in the cloud; (2) the Wiretap Act, which restricts governments' and the private sectors' ability to monitor data while it is in transit; and (3) the Title III/pen register statute, which restricts the ability of the government to obtain “noncontent” information, such as the to/from lines of email addresses.

The section then examines the Communications Assistance for Law Enforcement Act, which requires telecommunications carriers and equipment makers to assist U.S. law enforcement with lawful surveillance. Finally, we examine the All Writs Act, and the government's attempts to use the eighteenth-century law to compel smartphone manufacturers to help the government access encrypted information.

This chapter demonstrates that both constitutional and statutory restrictions on cyber surveillance and operations are still developing and that courts often are unsure what limits are appropriate on government cyber operations. The complexities are compounded because many of the restrictions are drawn from decades-old statutes that did not contemplate cloud computing, social media, and other technologies.

7.1 Fourth Amendment

The government's electronic surveillance may be restricted by the Fourth Amendment. The Fourth Amendment is among the greatest constitutional limits on the government's ability to exercise power over individuals. If the government obtains evidence of a crime in a manner that violates the Fourth Amendment, all evidence gathered during that search or seizure cannot be admitted as evidence in the criminal trial of the individual whose rights were violated (though there are a few exceptions to this rule, as we'll discuss later). This section examines the Fourth Amendment's application to government surveillance and other actions in cyberspace.

The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Since our nation's founding, the United States Supreme Court and lower courts have developed a wide range of factors and balancing tests that they apply to determine whether a government search or seizure has violated the Fourth Amendment. For the purposes of this book, we will focus primarily on the cases that involved government access to information. There is a long line of court cases assessing government access to physical objects (e.g., whether a police office can search a car due to the smell of marijuana smoke). This chapter only reviews such cases to the extent that they are useful in understanding how the Fourth Amendment limits government cyber operations.

To best understand how courts analyze the Fourth Amendment, we have broken up the analysis into six questions. This is not the only way to conduct a Fourth Amendment analysis; indeed, courts approach these issues in a variety of ways and not necessarily in this order. Some of the questions have very easy answers, while others are far from settled:

  1. Was the search or seizure conducted by a government entity (e.g., a police department) or government agent (e.g., a government contractor)?
  2. Did the search or seizure intrude upon an individual's privacy interests?
  3. Did the government have a warrant?
  4. If the government did not have a warrant, did an exception to the warrant requirement apply?
  5. Was the search or seizure reasonable under the totality of the circumstances?

7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent?

The Fourth Amendment only restricts searches and seizures that are conducted by a government entity or by a government agent that is acting for the government. Like the other constitutional rights, the Fourth Amendment is subject to what is known as the state action doctrine: it only restricts the actions of the government, and not of a private party. For instance, the government likely would violate the First Amendment by prohibiting Internet service providers from allowing their users to promote certain politicians on their websites. However, if the Internet service provider chose to prohibit its users from posting that content on their websites, the users would not be able to challenge that prohibition as a violation of the First Amendment. That is because the Internet service provider, acting independently, is not a state actor.1 The logic holds for the Fourth Amendment.

It is fairly simple to determine whether a government entity has conducted a search or seizure. In the United States, any federal, state, or local government agency or department is fully subject to the limits of the Fourth Amendment. For instance, if law enforcement officers obtain the email of a Los Angeles resident, they are subject to the Fourth Amendment regardless of whether they work for the Los Angeles Police Department, the California State Police, or the Federal Bureau of Investigation.

The more difficult question arises when a criminal defendant alleges that a government agent conducted a search. This is a particularly tricky task in cyber-related Fourth Amendment cases, since cyber infrastructure often is controlled by private companies that, at times, work with the government. In 1989, the United Supreme Court ruled that “[a]lthough the Fourth Amendment does not apply to a search or seizure, even an arbitrary one, effected by a private party on his own initiative, the Amendment protects against such intrusions if the private party acted as an instrument or agent of the Government.”2

The Supreme Court has not defined precisely what it means to be an “instrument or agent” of the government. Lower courts have confronted the issue, and although their definitions vary somewhat, they generally have held that courts should consider the following factors when determining whether a private party acted as a government agent in conducting a search:

  • If the government instigated the private party's search of the individual.
  • The degree to which the government participated in the search.
  • The degree of control that the government exercised over the search.
  • Whether the private party was motivated by its own business interests or by the government.3

The “government agent” issue arises frequently in government prosecutions for online child pornography crimes. This is because the government often gathers evidence through a system established by federal law, which involves the participation of Internet service providers, the government, and a nonprofit organization, the National Center for Missing and Exploited Children (NCMEC).

If online service providers (e.g., email services or Internet service providers) obtain actual knowledge that a customer appears to have violated federal child pornography laws, they are required by federal law to file a report with NCMEC.4 NCMEC then reviews the report, as well as the apparent child pornography content, and if it determines that the content is in fact child pornography, it provides information to local, state, or federal law enforcement agencies. The federal law also provides legal immunity to the online service providers for their fulfillment of this duty, so that they cannot be sued for filing a NCMEC report if a customer appears to be exchanging child pornography on their services.5

Online service providers are not required to take any affirmative steps to look for child pornography. They are only required to file reports if they discover it on their services. Many service providers, however, voluntarily use automated hash scanning in an attempt to prevent their use of services for illegal content. Often, the online services compare hash values of all user content with a NCMEC database of the hash values of known child pornography images.

When these automated searches lead to criminal prosecutions under federal child pornography laws, criminal defendants often challenge the admissibility of the evidence. They argue that the online service provider and NCMEC conducted a search of their private email or other online content, and that the warrantless search violated the Fourth Amendment. Courts typically have rejected such arguments, but occasionally have been open to hearing defendants' Fourth Amendment claims in such cases.

For instance, in United States v. Richardson,6 AOL used its image detection and filtering process (IDFP) to automatically scan hashes of customers' email content with NCMEC's database of hashes from known child pornography images. AOL detected a match for the email of its customer, Thomas McCoy Richardson, and filed a NCMEC report, as required by federal law. NCMEC provided the information to North Carolina state police, who investigated and eventually discovered dozens of child pornography images and videos on Richardson's computer, leading Richardson to admit to police that he viewed child pornography. Richardson was charged with federal child pornography crimes, and moved to suppress both the images and his statements, arguing that they were obtained due to a warrantless search of his AOL account. The gravamen of his argument was that AOL acted as a government agent when it scanned his account and reported the images to NCMEC, and therefore violated the Fourth Amendment by conducting the search without a warrant. The U.S. Court of Appeals for the Fourth Circuit concluded that AOL was not a government agent and therefore was not subject to the Fourth Amendment warrant requirement. First, the court reasoned, the government agents had absolutely no control over AOL's search, and noted that no government agent even asked AOL to conduct the search of Richardson's email.7 Relatedly, the court reasoned, Richardson presented no evidence that AOL conducted the search with the intent to help the government in a child pornography investigation. Richardson argued that the mandatory reporting requirement in federal law effectively transformed AOL into a government agent. The Fourth Circuit rejected this argument, reasoning that the law does not, in any way, obligate AOL to conduct the search in the first place. In fact, the statute explicitly states that providers are not obligated to conduct such searches.

In similar Fourth Amendment challenges in child pornography cases, other courts reached similar conclusions in cases in which the defendants have claimed that Internet service providers were government agents. Courts routinely hold that service providers have legitimate business interests – independent of the government – to automatically scan content and keep their services free of child pornography.8

A more difficult question arises when child pornography defendants argue not only that the online service providers acted as government agents, but that NCMEC also is a government agent. That is a tougher call, because NCMEC receives federal government funding and operates for the primary purpose of protecting children from exploitation. In United States v. Keith,9 David Keith sought to suppress evidence collected in a search of his home and computer. The warrant for the search was supported, in part, by evidence of child pornography detected by AOL via its automated scanning of customer email accounts and included in a NCMEC report, which was used by state police in an investigation that eventually led to federal child pornography charges. Unlike other defendants, who only argued that their ISP acted as a government agent, Keith argued that both AOL and NCMEC were government agents and therefore subject to the Fourth Amendment. The federal court swiftly dismissed Keith's claim that AOL was a government agent, concluding that “AOL is motivated by its own wholly private interests in seeking to detect and deter the transmission of child pornography through its network facilities.”10 However, the court agreed with Keith's argument that NCMEC was a government agent. The court noted that the statute authorizing the NCMEC reporting program refers to the program as a “partnership” between NCMEC and the government, and that its examination of the files provided by AOL was “conducted for the sole purpose of assisting the prosecution of child pornography crimes.”11 Although AOL acted as a private party in scanning the content, the court reasoned, NCMEC was a government agent when it expanded on the search. However, the court did not suppress the evidence collected in the search of his home because warrant also relied on evidence of child pornography provided by Staples employees who incidentally discovered child pornography images while repairing Keith's laptop.

The Keith opinion quickly set off alarms in the community of law enforcement, advocacy groups, and technology companies that seek to prevent the use of online services to distribute child pornography. For now, the Keith opinion is an outlier, but it serves as an important reminder that if private entities work too closely with the government on cybercrime issues, they could be subject to the Fourth Amendment warrant requirement.

7.1.2 Did the Search or Seizure Intrude Upon an Individual's Privacy Interests?

If a government entity or government agency conducted a search or seizure, the Fourth Amendment applies only if the search or seizure invaded the individual's privacy interests. In other words, did the individual have a reasonable expectation of privacy?

For electronic surveillance, the answer to this question traces back to a 1967 United States Supreme Court case, Katz v. United States.12 FBI agents, acting without a search warrant, installed a wiretap on a public payphone and heard the defendant discussing his illegal wagering operations. The defendant argued that his conviction was invalid because the FBI needed a warrant to conduct the surveillance. Until this decision, courts generally had focused on the physical characteristics of a search when determining whether the government invaded a constitutionally protected interest. In this case, the government argued that the defendant had no reasonable expectation of privacy because the defendant made the phone call from a public phone booth that was partly glass, so that he could be seen by passersby while he was making the call. However, the Court found this argument unpersuasive, reasoning that “what he sought to exclude when he entered the booth was not the intruding eye – it was the uninvited ear.”13 The government also argued that the Fourth Amendment did not apply to the wiretap because the FBI did not physically penetrate the phone booth. The Court rejected this argument as well, concluding that “the Fourth Amendment protects people—and not simply ‘areas'—against unreasonable searches and seizures,” and that “the reach of that Amendment cannot turn upon the presence or absence of a physical intrusion into any given enclosure.”14 The Court reversed the defendant's conviction, concluding that the Fourth Amendment did, in fact, apply to electronic surveillance:

The Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied while using the telephone booth and thus constituted a “search and seizure” within the meaning of the Fourth Amendment. The fact that the electronic device employed to achieve that end did not happen to penetrate the wall of the booth can have no constitutional significance.15

The conclusion in the Katz case is among the most significant developments in Fourth Amendment history because it took the Fourth Amendment out of the exclusively physical realm, and recognized that individuals could have a reasonable expectation of privacy in information. Katz set the groundwork for the modern Fourth Amendment disputes involving government surveillance of telephones, email, and other electronic communications.

It is important to note that the Supreme Court in Katz did not conclude that individuals automatically have a reasonable expectation of privacy in all electronic communications. In an oft-cited concurrence in Katz, Justice Harlan articulated a two-prong test to determine whether a reasonable expectation of privacy exists for Fourth Amendment purposes:

  1. whether the individual “exhibited an actual (subjective) expectation of privacy,”16 and
  2. whether that subjective expectation of privacy is “one that society is prepared to recognize as ‘reasonable.’”17

In other words, under this two-pronged test, the Fourth Amendment only protects an individual if that individual actually expected privacy and that expectation is reasonable. In Katz, the Court concluded that the defendant expected that his phone conversation would be private, and that objectively, this expectation was reasonable.

For electronic surveillance, among the biggest obstacles to finding a reasonable expectation of privacy is the third-party doctrine. Under this doctrine, individuals do not have a Fourth Amendment reasonable expectation of privacy in information once they have disclosed that information to an outside party. For instance, if John tells Jane a secret, and then Jane voluntarily provides that secret information to the police, John cannot claim that the police violated his Fourth Amendment rights by obtaining the information without a warrant. Of course, in the context of electronic surveillance, the third-party doctrine often is more difficult to parse.

The third-party doctrine, in the electronic surveillance realm, emerged in a 1979 United States Supreme Court case, Smith v. Maryland.18 In that case, the telephone company, at the request of the police, installed a pen register at its offices to document the numbers that were called by a robbery suspect. The police did not obtain a warrant for the pen register. Based on the information collected through the pen register, the police obtained a warrant to search the defendant's home, and he eventually was convicted of robbery. The United States Supreme Court distinguished this case from Katz, because the pen registers only obtain lists of phone numbers, and not the contents of the communications. This distinction is crucial, the Court reasoned, because people understand that they are voluntarily conveying the phone number that they are calling to the phone company. Therefore, under the first prong of Justice Harlan's Katz test, they should not have an actual expectation that the phone number is private:

All telephone users realize that they must “convey” phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills.19

Moreover, the Court reasoned, even if individuals had a subjective expectation that the phone numbers that they dialed would remain private, such an expectation would be objectively unreasonable:

When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and “exposed” that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed. The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber.20

Smith v. Maryland is perhaps the most significant limit on the Fourth Amendment rights created by Katz. It has been used by advocates of the National Security Agency to justify its bulk metadata collection program – though the United States Supreme Court has not yet ruled on that issue. Under the doctrinal rule of Smith v. Maryland, NSA's program of collecting certain noncontent information of email and phone calls should similarly be exempt from Fourth Amendment scrutiny (and therefore not subject to a warrant requirement). But NSA critics argue that the Supreme Court, in 1979, did not anticipate the bulk collection of millions of sets of metadata when it decided Smith v. Maryland.

A more difficult issue arises when individuals use an intermediary to communicate electronic information, such as email. Does the protective rule of Katz apply? Or does Smith's third-party doctrine prevent the application of the Fourth Amendment to government attempts to obtain stored email?

The United States Supreme Court has not addressed the issue directly. However, in 2010, the U.S. Court of Appeals for the Sixth Circuit addressed the issue in United States v. Warshak.21 In that case, the government obtained thousands of emails from the ISP of a corporate executive, to help bring a fraud case against the executive. The government had not obtained a search warrant for the emails; instead, it used a simple subpoena, and the defendant did not receive notice until more than a year after the email was disclosed. The Sixth Circuit held that although the Stored Communications Act (discussed below) did not require a warrant for the emails at issue, the Fourth Amendment did. The Court reasoned that the government must obtain a warrant to obtain paper mail delivered via the postal service, and “[g]iven the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection.”22 Due to the Warshak decision, law enforcement in the Sixth Circuit – Kentucky, Michigan, Ohio, and Tennessee – is required under the Fourth Amendment to obtain warrants before compelling the disclosure of emails, regardless of the length of time it has been stored. But Warshak is not binding in other parts of the United States. Since Warshak, federal prosecutors and law enforcement have been more likely to seek warrants for all emails, but they maintain that they are not required to do so.23

Other newer forms of surveillance technologies demonstrate the difficulty of applying the third-party doctrine. A number of courts have been asked to suppress evidence that law enforcement obtained via the warrantless collection of cell site information. Such information may enable law enforcement to pinpoint a suspect's location at a particular time, often providing probable cause for an arrest or a warrant to search a residence. At issue in these cases is whether the individual had a reasonable expectation of privacy in the cell site information. In recent years, courts have overwhelmingly held that, under the third-party doctrine, the Fourth Amendment does not require warrants for such searches. The U.S. Court of Appeals for the Sixth Circuit – which issued the Warshak opinion protecting email content from warrantless searches – declined to extend Fourth Amendment protections to cell site data.24 As with the call logs in Smith, the Court reasoned, cell site data does not reveal information about content and therefore is not subject to the Fourth Amendment:

Instead the records include routing information, which the wireless providers gathered in the ordinary course of business. Carriers necessarily track their customers' phones across different cell-site sectors to connect and maintain their customers' calls. And carriers keep records of these data to find weak spots in their network and to determine whether roaming charges apply, among other purposes. Thus, the cell-site data – like mailing addresses, phone numbers, and IP addresses – are information that facilitate personal communications, rather than part of the content of those communications themselves. The government's collection of business records containing these data therefore is not a search.25

There is a growing movement to reconsider the third-party doctrine because it makes little sense in the cyber age. Notably, in United States v. Jones,26 the United States Supreme Court reversed the conviction of a criminal defendant because the evidence used against him was obtained via the warrantless installation of a GPS tracking device on his car. The majority opinion focused on the physical intrusion caused by the government's installation of the device on his property. Perhaps even more notable than the majority opinion was Justice Sotomayor's concurrence, in which she suggested that the Court should reconsider the third-party doctrine altogether:

This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers … [W]hatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.27

Justice Sotomayor's concurrence was noteworthy because, if it eventually is adopted by the majority, it would undercut decades of Fourth Amendment jurisprudence and expose a wide range of information to Fourth Amendment protection, even if it was disclosed to third parties.

7.1.3 Did the Government have a Warrant?

If a government entity or government agent has conducted a search that invades a protected interest (i.e., where the individual had a reasonable expectation of privacy), the government typically must have a warrant supported by probable cause in order to comply with the Fourth Amendment. A warrant must be issued by a “neutral magistrate,” who in some cases may be a judge, but also may be a magistrate whose primary job is to determine whether law enforcement has presented probable cause that the search will yield evidence that a crime has or will be committed. Typically, the neutral magistrate bases the probable cause determination on an affidavit that law enforcement submits along with the search warrant request.

The United States Supreme Court has stated that the purpose of a warrant is to assure the citizen “that the intrusion is authorized by law, and that it is narrowly limited in its objectives and scope.”28 The “detached scrutiny” of a neutral magistrate “ensures an objective determination whether an intrusion is justified in any given case,” the Court has stated.29

Generally, if a neutral magistrate issues a search warrant, it is very difficult for a defendant to later seek to suppress evidence gathered from the search on Fourth Amendment grounds. In United States v. Leon,30 a criminal defendant in a drug case sought to suppress evidence that was collected under a search warrant that he claimed to not be supported by probable cause. The United States Supreme Court declined to suppress the evidence, even though the warrant was not supported by probable cause. Because the police conducted the search in good faith pursuant to a warrant that they believed to be valid, the Court concluded that it should not suppress the evidence gathered by the search. The “good-faith” exception makes it incredibly difficult to challenge a magistrate's probable cause determination, absent extreme recklessness or deceptive behavior by law enforcement.

One barrier to the use of warrants, however, is the “particularity” requirement. If a magistrate judge issues a warrant, the warrant must satisfy the Fourth Amendment's explicit requirement for particularity, describing the place to be searched as well as the persons or things to be seized.31 This does not necessarily mean that the warrant describe the precise evidence that law enforcement expects to collect.32 In determining whether a warrant satisfied the particularity requirement, courts consider “(1) whether probable cause exists to seize all items of a particular type described in the warrant; (2) whether the warrant sets out objective standards by which executing officers can differentiate items subject to seizure from those which are not; and (3) whether the government was able to describe the items more particularly in light of the information available to it at the time the warrant was issued.”33

Courts have recognized the difficulty of applying the particularity requirement to cyber searches, and generally are deferential to law enforcement and magistrates. For instance, in United States v. Adjani,34 the U.S. Court of Appeals for the Ninth Circuit refused to suppress evidence collected under a warrant that allowed the search and seizure of, among other things, “[a]ny computer equipment and storage device capable of being used to commit, further, or store evidence of the offense listed above.”35 The defendants argued that rather than allowing a “wholesale search” of their email, the warrant should have specified search terms. The court sympathized with this argument, but ultimately concluded that to “require such a pinpointed computer search, restricting the search to an email program or to specific search terms, would likely have failed to cast a sufficiently wide net to capture the evidence sought.”36 The court reasoned that computer files “are easy to disguise or rename,” and therefore an overly limited search warrant would prevent law enforcement from collecting evidence.37 Although search warrants for email and other electronic evidence must have some particularity, courts recognize that law enforcement needs some leeway to conduct legitimate searches of the vast amounts of electronic data.

7.1.4 If the Government did not have a Warrant, did an Exception to the Warrant Requirement Apply?

If the government entity or a government agent conducts a warrantless search or seizure that invades a protected interest, the government must demonstrate that an exception to the warrant requirement applies. If the government does convince the court that an exception applies, the evidence collected as a result of the search will be suppressed.

The courts have articulated a number of exceptions to the warrant requirement. Among the most commonly cited exceptions are:

  • the individual provided consent for the search;38
  • the evidence is in plain view (i.e., from the street, the police could see marijuana plants in the defendant's yard);39
  • police have probable cause to search an automobile (a recognition that given the mobility of cars, it is difficult to obtain a warrant before searching them);40
  • exigent circumstances;41
  • programmatic searches and special needs unrelated to routine law enforcement purposes (i.e., drunk driving checkpoints, border searches, searches of students' lockers in schools, searches of parolees, and searches at large public gatherings to reduce the risk of terrorism);42 and
  • searches incident to a lawful arrest, if the search is necessary to prevent the destruction of evidence or detainees escape, or harm to the police officer.43

In 2014, the United States Supreme Court issued its opinion in Riley v. California.44 The decision, involving the search incident to lawful arrest exception, has had a significant impact on cyber-related searches. When David Leon Riley was lawfully arrested for firearms possession, the police seized his smartphone, searched the text messages on the phone, and found messages that indicated that Riley was associated with a street gang. Riley was convicted for various gang-related offenses, and sought to overturn his conviction, arguing that the police conducted a warrantless search of his phone. The Court agreed with Riley and reversed his conviction, concluding that the search incident to lawful arrest exception did not apply to cell phones. The exception applies when there is a concern that the arrestee will harm officers or destroy evidence; the Court reasoned that neither concern is present in the case of a cell phone. The police could seize the cell phone, and obtain a warrant to search it. There was no danger that the data would be destroyed. Particularly notable about the majority opinion, written by Chief Justice Roberts, was the strong language that the Court used to caution law enforcement against warrantless searches of data:

Our cases have recognized that the Fourth Amendment was the founding generation's response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself. In 1761, the patriot James Otis delivered a speech in Boston denouncing the use of writs of assistance. A young John Adams was there, and he would later write that “[e]very man of a crowded audience appeared to me to go away, as I did, ready to take arms against writs of assistance.” According to Adams, Otis's speech was “the first scene of the first act of opposition to the arbitrary claims of Great Britain. Then and there the child Independence was born.”

Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life,” The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple — get a warrant.45

The Riley opinion likely will have impacts that reach far beyond cases involving searches incident to lawful arrests. It is perhaps the Supreme Court's strongest statement, since Katz, in opposition to the government's warrantless searches of criminal suspects' information. Riley is a clear indication that the Supreme Court believes that the Fourth Amendment applies just as much to electronic information as it does to physical objects. Although the case involved a relatively narrow issue related to the search of an arrestee, it likely will have a large impact on a wide range of future cyber-related Fourth Amendment cases.

7.1.5 Was the Search or Seizure Reasonable under the Totality of the Circumstances?

The Fourth Amendment protects individuals against “unreasonable” searches and seizures. If the government obtains a warrant, it is generally presumed to be reasonable.46 If, however, a warrantless search is conducted under an exception to the warrant requirement, the government still must demonstrate that the search was “reasonable” and therefore did not violate the Fourth Amendment.47

To assess reasonableness of a search, courts conduct a “totality of the circumstances” analysis of the search, in which they evaluate “on the one hand, the degree to which it intrudes upon an individual's privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests.”48

Courts have great leeway in determining the weight that they will accord to these often-competing values. A recent application, relevant to cyber searches, arose in the case of Jamshid Muhtorov, a legal permanent resident of the United States who was charged with providing material support to a designated terrorist organization. The government notified Muhtorov that it planned to use evidence that it collected under Section 702 of the FISA Amendments Act of 2008, a program (colloquially known as “PRISM”) that allows federal intelligence agencies to conduct electronic surveillance of targets who are believed to be located outside of the United States and are not United States citizens. Although Muhtorov was located within the United States, the target of the surveillance apparently was not believed to be in the United States, and therefore the communications were collected under Section 702 (the contents of the communications was classified and not included in the court opinion). Muhtorov asked the court to suppress the evidence collected under Section 702, arguing that it violated his Fourth Amendment rights.

A Colorado federal judge denied Muhtorov's motion to suppress. After concluding that foreign intelligence gathering falls within the “special needs” exception to the warrant requirement (a conclusion reached by many other federal courts, but never addressed directly by the United States Supreme Court), the Colorado judge concluded that under the totality of the circumstances, the search was reasonable. The judge concluded both that Section 702, on its face, is constitutional, and that it was constitutionally applied to Muhtorov. Key to the judge's ruling was an extensive set of “minimization procedures” that the government uses to weed out information that is not related to foreign intelligence and to reduce the likelihood of searches being conducted of people who are either U.S. citizens or located in the United States. “I conclude on the record before me that a proper and supported application was filed, and that the targeting and minimization procedures forwarded were tailored to the government's legitimate foreign intelligence purposes and took into account the privacy interests of individuals whose communications would be incidentally acquired,” the judge wrote.49

Ultimately, unless the Supreme Court has explicitly found a specific government practice to be reasonable or unreasonable, courts have a great deal of leeway under the totality of the circumstances framework. Whether the government's needs outweigh the individual's privacy interests ultimately is a value judgment that likely will vary by court and judge. Accordingly, it often is difficult to predict, with certainty, whether a government search or seizure comports with the Fourth Amendment. This is particularly true with cyber searches, which often involve novel factual issues that have not yet been addressed by other courts.

7.2 Electronic Communications Privacy Act

In satisfying the Fourth Amendment's requirements, the government also must ensure that it isn't violating any statutes that restrict the ability of the government's ability to conduct electronic surveillance. The Electronic Communications Privacy Act (ECPA) is the most comprehensive U.S. law relating to cyber surveillance. ECPA limits the ability of government agencies, such as law enforcement, to obtain emails, monitor networks, and obtain Internet traffic logs. ECPA also imposes strict boundaries on the ability of service providers (e.g., phone companies and email service providers) from providing other private parties or the government with access to customer emails and other records.

ECPA is so central to cybersecurity because it severely limits the ability of both the government and the private sector to monitor networks for cybersecurity vulnerabilities and threats and to share the information. Moreover, it restricts the ability of law enforcement to monitor communications for kinetic threats (e.g., terrorist plots).

Congress passed much of ECPA in 1986. Although it has been amended since then, the heart of the law remains the same today as when it was passed more than three decades ago. This has led a number of critics to call for a full-scale overhaul of the statute.50

For now, however, ECPA remains the law of the land, and it shapes the cyber decisions of many companies and government agencies. This chapter provides an overview of the three sections of ECPA: the Stored Communications Act, the Wiretap Act, and the Pen Register Act. The Stored Communications Act regulates the ability of governments to compel – and service providers to disclose – stored communications such as email messages and cloud content. The Wiretap Act restricts the ability of the government to monitor communications while they are in transit. The Pen Register Act restricts the ability of government agencies and private parties to obtain noncontent information about telephone and email communications, such as phone numbers dialed and the to/from headers on email messages. The entire text of ECPA is reprinted in Appendix E. This section is intended to provide an overview of the key concepts necessary to understanding how ECPA applies to cybersecurity.

7.2.1 Stored Communications Act

Data that is stored on a computer, server, or the cloud – such as email and files – may be covered by the Stored Communications Act (SCA). As the U.S. Court of Appeals for the Ninth Circuit observed, the SCA “reflects Congress's judgment that users have a legitimate interest in the confidentiality of communications in electronic storage at a communications facility.”51

The SCA, passed in 1986, covers three general categories: (1) access to stored communications;52 (2) voluntary disclosure of stored communications by service providers;53 and (3) law enforcement agency's attempts to compel service providers to disclose stored communications.54

The first category can be seen as a supplement to the Computer Fraud and Abuse Act, which is described in Chapter 5. Indeed, criminal charges against computer hackers often are brought under both the SCA and CFAA. The second category involves the restrictions placed on a service provider's ability to disclose its users' information. In many ways, this is analogous to a privacy law. The third category limits the government's ability to require service providers to provide users' information. This section will consider each of these SCA categories in turn.

Before examining each of these three categories, it is important to understand the scope of the SCA's applicability. The SCA applies to two types of services: electronic communications services (ECS) and remote computing services (RCS). The definitions of these services are important, because the SCA imposes different requirements depending on whether a service is classified as an ECS or RCS. In many cases, a service provider may be both an ECS and an RCS.55

The SCA defines ECS as “any service which provides to users thereof the ability to send or receive wire or electronic communications,”56 which are the “transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”57 Many courts have held that unopened emails stored on servers or the cloud fall within the definition of ECS.58 Similarly, a secured website that is used to communicate has been held to be an ECS.59 Moreover, courts have held that Internet access, provided by Internet service providers, are an ECS,60 as are cell phone service providers.61

The SCA defines RCS as “the provision to the public of computer storage or processing services by means of an electronic communications system,” which it defines as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”62 Keep in mind that Congress passed the SCA in 1986 – long before the modern era of cloud computing. When passing the SCA, the Senate issued a report in which it provided the following explanation of its reasons for explicitly covering RCS:

In the age of rapid computerization, a basic choice has faced the users of computer technology. That is, whether to process data inhouse on the user's own computer or on someone else's equipment. Over the years, remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities. Today businesses of all sizes — hospitals, banks and many others — use remote computing services for computer processing. This processing can be done with the customer or subscriber using the facilities of the remote computing service in essentially a time-sharing arrangement, or it can be accomplished by the service provider on the basis of information supplied by the subscriber or customer. Data is most often transmitted between these services and their customers by means of electronic communications.63

Although information technology habits have changed since 1986, the Senate's general explanation of the use of “remote facilities” continues to apply to the definition of RCS. Services such as cloud computing and data centers – in which data is stored remotely for long-term use – fall under the definition of RCS. In some cases, it may not be entirely clear whether a service is an ECS or RCS.64 For instance, email that is opened and then stored for many years – as is common practice – has been argued to be both RCS or ECS. The confusion largely is due to the fact that the SCA was enacted in 1986, a time when remote storage was limited, and it therefore was inconceivable to remotely store opened email for a long period of time. But the distinction between RCS and ECS is vital. As we will see, the designation may play an important role in determining the privacy protections that the SCA affords to a service's users.

7.2.1.1 Section 2701: Third-Party Hacking of Stored Communications

Section 2701 of the SCA makes it a criminal offense to access an individual's email (or other ECS) without authorization. The statute also allows victims of unauthorized access to bring civil claims. Think of this section as a restriction on the ability of outside parties to hack a stored communication.

The statute imposes criminal penalties on any individual who “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided” or “(2) intentionally exceeds an authorization to access that facility,” and, through either of those actions, “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such a system[.]”65 Individuals who are convicted of this crime face fines and up to ten years in prison. The law allows service providers and individuals to file civil actions against violators.66

A significant limitation on this criminal provision is the application only to a facility through which an ECS is provided. Courts generally have held that hacking an individual's computer or smartphone does not constitute a violation of the SCA because that individual device is not a “facility”; instead, the unauthorized access must be of an email account, cloud service, or other ECS facility.67 For instance, in 2012, a California federal judge dismissed a Section 2701 class action lawsuit against Apple, alleging that its iOS devices violated plaintiffs' privacy rights by allowing third-party applications to collect information about users. The judge noted that although “the computer systems of an email provider, a bulletin board system, or an ISP are uncontroversial examples of facilities that provide electronic communications services to multiple users,” individuals' computers, laptops and mobile devices do not constitute “facilities.”68

Another significant limitation on this statute is the requirement that the access to the facility be “without authorization” or in excess of authorization. As with the CFAA, discussed in Chapter 5, it often is difficult for the government or civil plaintiffs to demonstrate that access was entirely without authorization or in excess of authorization. For instance, in a 2000 case in Michigan, a company accused its former manufacturer's representative of continuing to access the company's confidential sales information, which was stored on the network of one of its retailers, Kmart. The company alleged that the representative's continued access to the information, even after its termination, constituted a Section 2701 violation.69 The district court disagreed and dismissed the lawsuit. Even though the manufacturer's representative continued to access the sales information after its termination – and it arguably had no need to do so – the court reasoned that Kmart continued to provide the representative with access to its network. “Where a party consents to another's access to its computer network, it cannot claim that such access was unauthorized,” the court concluded.

In contrast, the next year, a court allowed a Section 2701 class action lawsuit to proceed against Intuit, which the plaintiffs allege used website cookies to violate their privacy rights. The court reasoned that, unlike the Michigan case, “Plaintiffs here allege that they did not authorize Defendant to access data contained in the cookies it implanted on Plaintiffs' computers.”70

7.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties

Section 2702 of the SCA restricts the ability of both ECS and RCS providers to voluntarily disclose both communications contents and consumer records. Disputes under this section commonly arise during discovery in civil cases; parties to litigation often subpoena service providers for emails, logs, and other records. Importantly, Section 2702 does not have an exception that allows RCS and ECS providers to turn over information in civil discovery.71

The statute prohibits a public ECS provider from knowingly divulging to either the government or private parties “the contents of a communication while in electronic storage by that service.”72 Public RCS providers are prohibited from divulging contents of communications that are maintained on the service on behalf of – and received via electronic transmission from – a subscriber or customer. RCS providers also may not disclose contents of communications that are stored on their services, unless the customer has provided authorization (e.g., by creating a public folder on the cloud). The statute broadly defines “contents” to include “any information concerning the substance, purport, or meaning of that communication.”73

Keep in mind that Section 2702 only applies to ECS and RCS services that are provided to the public. This generally has been interpreted to include service providers that have customers; a purely internal email system (e.g., a private company's email and document storage server) likely would not be considered to be provided “to the public.” For instance, in a 1998 case, an Illinois federal judge rejected the argument that Section 2702 applies to an ECS provider “even if that provider maintains the system primarily for its own use and does not provide services to the general public.”74 The court concluded that “the statute covers any entity that provides electronic communication service (e.g., e-mail) to the community at large.”75

Section 2702 contains a number of exceptions that allows service providers to disclose communications content under limited circumstances:

  • To the intended recipient of the communications content.76 For example, Gmail can deliver the email to the address that is in the “to” line of the email).
  • If law enforcement obtains a warrant or other valid process that is authorized under another statute.77 For instance, Section 2703 of the SCA, discussed below, provides a few mechanisms for law enforcement to obtain valid process to compel service providers to disclose communications content. If the service providers receive this process, they will not be held liable for disclosure.
  • If the originator or addressee of the information consents to the disclosure.78
  • To deliver the communications to its destination.79 An example is an email provider that has to transmit a message through a third-party service provider in order for it to reach its intended destination.
  • As is “necessarily incident to the rendition of the service or to the protection of the rights or to the protection of the rights or property of the provider of the service.80 This is one of the more controversial exceptions to Section 2702. For instance, in 2006, the plaintiff contended that if it did not comply with a civil subpoena for a customer's communications content, the company could face court sanctions, and therefore providing the information protects the service provider's rights or property. The California Court of Appeal rejected this argument, concluding that the “effect of such an interpretation would be to permit disclosure whenever someone threatened the service provider with litigation.”81 However, few courts have directly addressed this exception, so it is not entirely clear exactly what types of disclosure would fall under this exception.
  • To the National Center for Missing and Exploited Children, in connection with a child pornography investigation.82 As discussed in the Fourth Amendment section above, 18 U.S.C. 2258A requires all ECS and RCS providers to file a report with the National Center for Missing and Exploited Children if the providers obtain actual knowledge of an apparent violation of federal child pornography laws. Filing this report is explicitly exempt from the SCA.
  • If the contents were inadvertently obtained by the service provider and appear to pertain to the commission of a crime. No published court opinion has interpreted this provision, but based on court rulings regarding other exceptions to the SCA, for this exception to apply, a service provider likely would have to present substantial evidence that it obtained the contents “inadvertently.”
  • To a governmental entity, if the provider, in good faith, believes that “an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.83 For instance, one court suggested in nonbinding dicta to a case that if a service provider obtains credible evidence of potential child abuse, it is authorized to provide communications content to a government social services agency.84

Section 2702 allow RCS and ECS providers to divulge “a record or other information pertaining to a subscriber to or customer of such service” to nongovernmental entities, provided that the record does not include the contents of communications. Such records include subscriber names, addresses, and social security numbers.85 However, RCS and ECS providers still are prohibited from disclosing customer records to government entities, unless (1) otherwise authorized by Section 2703; (2) with the customer's consent; (3) necessarily incident to render the service or protect the service provider's rights or property; (4) to the government, if the provider believes in good faith that an emergency exists; or (5) to NCMEC in connection with a child pornography investigation.

Individuals who believe that their SCA rights have been violated can file a civil action for actual and punitive damages.86

7.2.1.2.1 The Cybersecurity Act of 2015: Allowing Service Providers to Disclose Cybersecurity Threats to the Government

A recently enacted law expands the ability of RCS and ECS providers to disclose communications content and customer records to the government. In December 2015, Congress passed the Cybersecurity Act of 2015, which is intended to promote collaboration between the private sector and federal government on cybersecurity.

The Cybersecurity Act of 2015, described above, may significantly expand the ability of operators of computer networks and systems to monitor for cybersecurity threats without facing liability under the Stored Communications Act. The Cybersecurity Act allows private entities to monitor their own information systems – as well as information systems of other entities with consent – for “cybersecurity purposes.”87 It defines “cybersecurity purpose” as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.”88

The Act broadly defines “cybersecurity threat” as “an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”89 Cybersecurity threats do not include actions that merely violate a customer terms of service or licensing agreement. The Act defines “security vulnerability” as “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.”90

Because the law was recently enacted, we do not yet know how broadly courts will interpret key terms such as “cybersecurity threat” and “security vulnerability.” However, the plain language of the statute appears to be fairly broadly worded, increasing the likelihood that courts will apply it to a wide variety of attempts to investigate past cyber incidents and prevent future incidents. If that is the case, then the Cybersecurity Act may enable private parties to monitor their own systems and networks – and the systems and networks of others who have provided consent.

The statute also allows private companies to operate “defensive measures” for “cybersecurity purposes.” However, the statute's definition of “defensive measures” is rather narrow, and explicitly excludes “hacking back” at a network that the company believes had attacked its network. The statute defines “defensive measure” as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected threat or security vulnerability.”91 The statute explicitly states that “defensive measure” does not include “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system” that is neither owned by the private entity that is operating the measure or another entity that is “authorized to provide consent and has provided consent to that private entity to operate the measure.”92

7.2.1.3 Section 2703: Government's Ability to Force Service Providers to Turn Over Stored Communications and Customer Records

Section 2703 of the SCA restricts the government's ability to compel ECS and RCS providers to disclose communications content and records. As we will see, this is not the only restriction on the government; in addition to the Section 2703 requirements, the government also must satisfy the requirements of the Fourth Amendment of the U.S. Constitution. In some cases, even if the SCA allows the government to compel disclosure, the Fourth Amendment may prevent it.

Section 2703's restrictions for the disclosure of communications content depend on whether the provider is an ECS or RCS provider, and the length of time the communications content has been stored. In short, electronic communications in electronic storage with ECS providers for 180 days or less receive more protection than older ECS communications (or any RCS communications). This distinction is a relic of the mid-1980s, when most electronic communications were immediately downloaded onto individuals' computers and rarely stored for the long term on a service provider.

Despite a widespread consensus that the 180-day distinction is arcane and wholly inapplicable to modern technology, the 1986 law remains the law of the land for now. Here is how it works: The government must obtain a court-issued warrant, supported by probable cause, to compel communications content from an ECS provider if that content has been “in electronic storage in an electronic communications system for one hundred and eighty days or less.”93 Some courts have concluded that once emails are open, they are no longer in electronic storage – and therefore, not subject to the warrant requirement94 – while others have reached an opposite conclusion and required a warrant for any emails stored with ECS providers, as long as they are no more than 180 days old.95

To obtain communications content stored with an ECS provider for more than 180 days – or stored with an RCS provider – the government has a few options.

First, it could go to court and obtain a warrant supported by probable cause, just as it would for ECS content that is stored for 180 days or less. But that is a fairly high burden to meet, and the SCA allows two other options.

Second, it could use an administrative subpoena that is authorized by a federal or state statute, or a federal or state grand jury or trial subpoena. The rules differ depending on jurisdiction, but the government typically does not need to come anywhere close to demonstrating probable cause; however, the material sought must be relevant and related to the investigation or trial.96

Third, the government may obtain what is known as a “(d) order,” which is because it is a mechanism created by subsection (d) of Section 2703 of the SCA. A federal or state court may issue a (d) order if the government “offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”97 Although this requires the government to provide some specific facts, this showing, as with a subpoena, is much lower than the probable cause required to obtain a warrant. A court can quash or modify a (d) order only if the service provider files a motion that demonstrates that “the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.”98

To obtain communications via an administrative subpoena or (d) order, the government must provide prior notice to the subscriber or customer, unless it convinces a court to delay notice because “there is reason to believe that notification of the existence of the court order may have an adverse result[.]”99

A number of critics say the 180-day distinction has become outdated and is often unworkable for modern communications. For this reason, members of both parties in Congress have long been attempting to amend the SCA to provide for the same level of protection regardless of the amount of time that a communication has been in storage. “In 2015, it is absurd that the government is free to rifle through Americans' emails that are older than six months,” Sen. Ron Wyden, a sponsor of one such amendment, said in 2015. “Because of this arcane law, as technology advances, Americans' civil liberties are eroding.”100

Moreover, as discussed in Section 7.1, some courts are beginning to hold that the Fourth Amendment requires a warrant for the government to obtain all communications, regardless of the length of time that they are stored. As of the publication of this book in 2016, momentum was building in Congress for an amendment to the Stored Communications Act that would eliminate the 180-day distinction and require the government to obtain a warrant for stored communications regardless of the length of time that they had been stored.

7.2.2 Wiretap Act

As its name suggests, the Stored Communications Act restricts the disclosure and procurement of communications that are stored on a medium (e.g., a server). In contrast, the Wiretap Act101 restricts the ability for the government and private parties to intercept communications as they are in transit.

The Wiretap Act was passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 in response to the United States Supreme Court's ruling in Katz v. United States102 that the Fourth Amendment restricts the government's use of wiretaps to eavesdrop on telephone calls.103

The Wiretap Act contains a broad, general prohibition on the intentional interception, procurement, and use of electronic, wire, or oral communications.104 The statute also prohibits the intentional interception or disclosure of the contents of unlawfully intercepted communications.105 As the U.S. Court of Appeals for the Eleventh Circuit accurately summarized, a typical claim of a Wiretap Act violation consists of a demonstration that the defendant “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication (5) using a device.”106 The Wiretap Act uses the same definition of “contents” as the SCA: “any information concerning the substance, purport, or meaning of that communication.”107 Courts generally have broadly interpreted this definition to include personally identifiable information such as names and birthdates.108 However, data automatically generated about the call, such as the call time and duration, is not considered “content” that is covered by the Wiretap Act.109

Violations of the Wiretap Act carry criminal fines and prison time of up to five years. The statute also allows the victims of Wiretap Act violations to file civil lawsuits for damages and equitable relief.110

The Wiretap Act's broad prohibitions contain a number of exceptions.

First, the Wiretap Act does not prohibit an employee of a communications provider from intercepting, disclosing, or using communications for any activity “which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service.”111 As one court noted, this exception “has been repeatedly interpreted by Courts to authorize telephone companies to intercept and monitor calls placed over their facilities in order to combat fraud and theft of service.”112 Similarly, this exception enables employers to monitor employee email accounts without facing Wiretap Act charges.113

Second, communications providers may provide information to the government as authorized by the Foreign Intelligence Surveillance Act, which sets the framework for collection of foreign intelligence information from U.S. infrastructure.114

Third, a law enforcement officer who is party to a communication is not subject to the Wiretap Act's prohibitions.115 Relatedly, the Wiretap Act does not restrict law enforcement if at least one party to the communication has provided consent.116 In other words, if one of the parties to a phone conversation or email exchange is an undercover officer, or a private party acting on behalf of law enforcement, then the Wiretap Act would not restrict the government's interception of that phone call.

Fourth, a private individual may intercept a communication if that individual is a party to the communication, or if the person is party to the communication, or if one of the parties provided consent.117 However, this exception does not apply if the interception is conducted to commit a criminal or tortious act that violates a state or federal law. For instance, some states have imposed “two-party consent” laws that require consent from all parties to a communication before wiretapping is permitted.118

The most significant exception to the Wiretap Act, for government purposes, allows law enforcement to seek a court order for the interception of wire, oral, or electronic communications.119 Under this exception, law enforcement must fulfill a number of requirements before obtaining an order that allows them to intercept communications.

Applications for wiretap orders must contain the identity of the officer seeking the information, a “full and complete statement of the facts,” including:

(i) details as to the particular offense that has been, is being, or is about to be committed, (ii) [when possible] a particular description of the nature and location of the facilities from which or the place where the communication is to be intercepted, (iii) a particular description of the type of communications sought to be intercepted, (iv) the identity of the person, if known, committing the offense and whose communications are to be intercepted.120

The application also must describe whether other investigative procedures have been attempted, the period of time for which interception has been attempted, and a statement concerning previous applications for wiretaps.121

After reviewing the application, the judge may grant the order only after finding that there is probable cause to believe that the target of the wiretap is committing, has committed, or soon will commit a particular serious criminal offense and that there is probable cause to believe that communications concerning the offense will be obtained via the wiretap.122 The court also must find that normal investigative procedures that do not require a wiretap either have failed or reasonably appear unlikely to result in information about the offense.123 The court also generally must find that there is probable cause to believe that the Internet connection or other communications facility that is being wiretapped is being used by the target of the investigation.124

In short, before a court will grant a wiretap order, it must determine that probable cause exists for three different elements: (1) that the target has committed, is committing, or soon will commit a crime; (2) that the wiretap will lead to information about this crime; and (3) that the target will use the communications facilities specified in the wiretap application. This is a relatively high standard to meet. As one court held, probable cause for a wiretap application requires a “reasonable and common sense” evaluation of all of the facts:

Under this standard, the question that must be decided in issuing a warrant is whether there is probable cause to believe that evidence of a crime will be uncovered. Obviously, certainty is not required at this stage, and the exact quantum of support required has frequently been described as “a fair probability,” but more than a “mere suspicion,” that such evidence will be discovered. Facts can amount to a fair probability without being proof beyond a reasonable doubt or even a prima facie showing.125

In other words, although a court need not be certain that the wiretap will uncover evidence of a crime, law enforcement must make a substantial showing in order to obtain a wiretap order.

A wiretap order may be authorized for no longer than thirty days.126 If law enforcement needs an extension, then it must seek an extension of up to thirty days. As one federal appeals court stated, the Wiretap Act intends law enforcement “to adopt minimization techniques to reduce to a practical minimum the interception of conversations unrelated to the criminal activity under investigation.”127

Although the Wiretap Act traditionally applied to the interception of phone calls, it also limits the ability of private parties and law enforcement to intercept electronic communications while in transit. Accordingly, the Wiretap Act applies not only to phone calls, but to email messages, instant messages, text messages, and other communications that are intercepted while in transit.128

The Cybersecurity Act of 2015, discussed above, has the potential to significantly enhance the ability of private entities to monitor systems and networks for cybersecurity threats. As discussed above, the Cybersecurity Act allows organizations to monitor their systems and networks – and the systems and networks of others who have provided consent – for “cybersecurity purposes,” which is intended to protect systems from a cybersecurity threat or security vulnerability.

Consider a large Internet service provider that constantly confronts malware that slows down its systems and threatens the online security of its customers. The Cybersecurity Act of 2015 enables the ISP to monitor the email and other communications of its users, to the extent that this monitoring is conducted exclusively for “cybersecurity purposes.” Because the law was recently passed, we do not yet have clear guidance from courts as to how they will interpret the phrases “cybersecurity purpose,” “cybersecurity threat,” and “security vulnerability.” Even if courts do adopt a broad interpretation of the phrase, companies must ensure that all scanning is conducted for that purpose, and that cybersecurity is not merely a pretext for another reason for monitoring.

7.2.3 Pen Register Act

As described in Section 7.1, the United States Supreme Court has held that the Fourth Amendment does not restrict the government's use of pen registers to obtain noncontent information, such as logs of telephone numbers and other metadata. In response to this ruling, Congress in 1986 passed Chapter 206 of ECPA, known as the Pen Register Act.

The Pen Register Act restricts the collection of noncontent communications data by the government and private parties. The statute applies to “pen registers,” which it defines as devices or processes that record “dialing, routing, addressing, or signaling information” of a wire or electronic communication.129 It also applies to “trap and trace devices,” which record the metadata of incoming communications.130

The Pen Register Act does not apply to the contents of communications – those are regulated under the Stored Communications Act and Wiretap Act. In 2001, as part of the PATRIOT Act, Congress amended the Pen Register Act to clarify that it applies to the metadata of electronic communications, such as email. However, the subject line of emails is typically considered to be content, and therefore is not covered by the Pen Register Act.

The Pen Register Act imposes a general prohibition131 on the use of pen register and trap and trace devices, with a few key exceptions:

  • if the pen register or trap and trace device is related to the “operation, maintenance, and testing” of a communications service;132
  • if the pen register or trap and trace device is related to the protection of the communications providers or their users to keep the service fee of abuse or unlawful service use;133
  • if the user has consented;134 or
  • if the government has obtained a court order under Section 3123 of the Pen Register Act.135

Section 3123 does not require the government to demonstrate probable cause that a crime has occurred or will occur. Instead, law enforcement must satisfy the more lenient requirement of demonstrating that “information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.”136

A Section 3123 order must specify the identity of the person to whom a telephone line or facility is leased, the identity of the person who is the subject of the investigation, the attributes of the communications to which the order applies, and a statement of the offense to which the information likely to be obtained by the device relates.137 The orders may not exceed sixty days and may be extended by new court order for up to sixty days.138 Communications providers are prohibited from disclosing the existence of a pen register or trap and trace order unless directed by the issuing court.139

7.2.4 National Security Letters

Among the most controversial aspects of the 2001 USA PATRIOT Act, passed after the September 11, 2001, terrorist attacks, was an expansion of the government's ability to issue national security letters. National security letters are administrative subpoenas that allow the government to secretly obtain certain information relevant to national security investigations. It has since been amended modestly to address some concerns of privacy advocates.

The National Security Letter provision of the Stored Communications Act140 allows the Federal Bureau of Investigation to provide a wire or electronic communication service provider with a name, phone number, or account number and request the associated name, address, length of service, and local and long-distance toll billing records of that person or account. Rather than obtain court approval, an FBI official need only certify in writing that “the name, address, length of service, and toll billing records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.”141 If the request does not include local and long-distance toll billing records, the FBI need only certify that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. The national security letter may not be issued solely due to an individual's First Amendment protected activities (e.g., organizing a lawful protest).142

The National Security Letter statute prohibits communications service providers from revealing the existence of a national security letter to any person, provided that the FBI certifies that the absence of a disclosure prohibition would result in a danger to U.S. national security, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.143 If a communications provider receives such a nondisclosure order, it is permitted to disclose the existence of the national security letter to people to whom disclosure is necessary for compliance, an attorney to receive legal advice, or others approved by the FBI.144 Individuals to whom the providers have disclosed the existence of a national security letter also are bound by the gag order.145

In 2006 and 2015, Congress amended the National Security Letter statute to allow for a limited form of judicial review.146 If a service provider receives a nondisclosure order associated with a national security letter, it may notify the government that it wishes to have a court review the order, or filed a petition for review in federal court. Within thirty days of receiving notification, the government must ask a federal court for an order prohibiting disclosure.147 The application must include a certification from a senior Justice Department or FBI official explaining why an absence of a prohibition on disclosure may result in a danger to U.S. national security, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.148 The federal court will approve the nondisclosure order only if it agrees with the government's allegations in its application.149

7.3 Communications Assistance for Law Enforcement Act (CALEA)

This chapter has examined the limits on the government's ability to obtain information about individuals' communications. If the government is permitted to obtain the information, it still must have cooperation from communications providers, such as phone companies and Internet service providers.

That's where the Communications Assistance for Law Enforcement Act (CALEA)150 comes in. The statute, passed in 1994, requires telecommunications carriers to assist law enforcement in conducting electronic surveillance under lawful warrants and court orders.

The Federal Communications Commission, which enforces CALEA, has broadly applied CALEA's requirements not only to traditional phone companies like AT&T and Verizon but also to Voice Over Internet Protocol and broadband service providers.151

CALEA requires telecommunications providers that “provide a customer or subscriber with the ability to originate, terminate, or direct communications” to ensure that their systems and networks are capable of expeditiously assisting the government in conducting lawfully authorized electronic surveillance. 152

CALEA also requires telecommunications providers to secure their law enforcement assistant technology to “ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance with regulations prescribed by the Commission.”153

The FCC has stated that telecommunications are free to develop their own solutions to ensure that their systems comply with CALEA's requirements.154

CALEA's requirements are limited to telecommunications providers. The requirements do not apply to information services or telecommunications equipment.155 Nor does CALEA require telecommunications carriers to help the government decrypt communications, unless the carrier provided the encryption and possesses the key or other information necessary to decrypt.156

7.4 Encryption and the All Writs Act

Among the most prominent cyber-related surveillance disputes in recent years has involved government access to encrypted communications. This is not a new debate; indeed, in the 1990s, the government failed in its attempt to require technology companies to include a “backdoor” to allow law enforcement access to encrypted communications. The debate re-emerged in 2016, as encryption was the default setting on a number of smartphones and mobile apps. The FBI and state and local law enforcement increasingly became concerned that even if they had a lawful warrant, supported by probable cause, to search a mobile device, they would be unable to do so because the data was encrypted.

The issue received national prominence in early 2016, during the government's investigation of a San Bernardino shooting that killed fourteen people. The government sought to obtain information from the iPhone of one of the two shooters, Syed Riswan Farook, who had died during the shooting. The phone was owned by Farook's employer, and the FBI obtained a search warrant for the phone. However, the government was unable to access the content on the phone because it was locked with a passcode. Normally, the FBI could circumvent this passcode by using a “brute force” attack that automatically enters all combinations of numbers until it gains access. However, this iPhone operating system is equipped with a function that automatically wipes data from a device after ten unsuccessful attempts at entering a password. The government requested that a California federal court order Apple to assist it in disabling the auto-wipe function from the device.

No statute explicitly requires Apple to assist the government with carrying out a search warrant, as there is not an equivalent of CALEA for device makers. Rather, the government sought this order under the All Writs Act, a statute that states that “all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”157 The United States Supreme Court has stated that this statute is “a residual source of authority to issue writs that are not otherwise covered by statute.”158 In other words, the government sought to use the All Writs Act as a catchall statute to order Apple to help it carry out a search warrant.

No binding appellate court ruling had explicitly required a company such as Apple to help the government defeat encryption. The government relied largely on a 1977 United States Supreme Court case, United States v. New York Telephone Co.,159 in which the Court held that the All Writs Act requires a phone company to assist the FBI with carrying out a pen register order. The Court concluded that the Act extends “to persons who, though not parties to the original action or engaged in wrongdoing, are in a position to frustrate the implementation of a court order or the proper administration of justice, … and encompasses even those who have not taken any affirmative action to hinder justice.”160 Courts also have held that the All Writs Act requires, among other things, credit card companies to provide records to law enforcement161 and landlords to provide law enforcement with security camera footage.162

Apple vigorously opposed the federal government's attempts to require it to assist in breaking the security protections on the San Bernardino shooter's iPhone. Apple argued that the FBI's request goes beyond just asking for passive assistance in carrying out a pen register order; the government's request would require that Apple write software code to circumvent a security protection. That type of compelled speech, Apple argued, would violate the First Amendment. The California court never had an opportunity to rule on the dispute because in March 2016, the federal government withdrew its request for a court order. The government stated that a third party had assisted the FBI in accessing the content on the device, though it did not provide further details.

Although the California court never ruled on the high-profile dispute, a federal judge in Brooklyn ruled in 2016 that the All Writs Act does not require Apple to assist law enforcement in accessing an iPhone. In that case, the federal Drug Enforcement Agency received a warrant to search the residence of a drug-trafficking suspect. Among the items that the agents obtained in the search was an iPhone 5s.163 The government then obtained a warrant to search the iPhone. The government requested Apple's technical assistance to unlock the phone, and Apple said that it would only provide the assistance if it was ordered to do so by a court. The government requested a court order under the All Writs Act, and Apple opposed the request, arguing that the statute does not require Apple to write code to help circumvent the device's security features.

The U.S. District Court for the Eastern District of New York rejected the government's application for an order compelling Apple's assistance. Central to the court's ruling was the fact that Congress passed CALEA, which requires telecommunications carriers to assist law enforcement in carrying out search warrants but explicitly excludes “information service providers” such as Apple. If Congress had intended to require companies such as Apple to assist law enforcement, the court reasoned, Congress would have explicitly included the companies within the scope of CALEA or a similar statute. The court reasoned that if it were to adopt the government's broad reading of the All Writs Act, it would transform the statute “from a limited gap-filling statute that ensures the smooth functioning of the judiciary itself into a mechanism for upending the separation of powers by delegating to the judiciary a legislative power bounded only by Congress's superior ability to prohibit or preempt.”164

The court noted that the All Writs Act was enacted by the First Congress in 1789, during a time when the Founders carefully divided powers among the three branches of government. The court stated that it was difficult to imagine the Founders passing the All Writs Act with the intention of providing the executive branch with such broad powers. “The government's interpretation of the breadth of authority the AWA confers on courts of limited jurisdiction thus raises serious doubts about how such a statute could withstand constitutional scrutiny under the separation of power's doctrine,” the court wrote. “It would attribute to the First Congress an anomalous diminishment of its own authority (to deny a request to increase the executive's investigative powers it deemed inadvisable simply by declining to enact it) as well as an equally implausible intention to confer essentially unlimited legislative powers on the judiciary.”165

The Eastern District of New York opinion, while emphatic, is not binding on any court. Accordingly, there is a chance that another court – including an appellate court, which issues binding opinions – could view the All Writs Act in a more expansive light. Moreover, many law enforcement advocates are pushing Congress to pass a CALEA-like law that would explicitly require companies such as Apple to assist law enforcement with unlocking devices. In short, it is likely that the debate about technology companies' compelled assistance to law enforcement will continue to be a hotly debated issue in the judicial, legislative, and executive branches.

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.12.0