The Volokh Conspiracy

So holds the Fourth Circuit in an opinion by Judge Gregory. I would add just one minor tweak to the court’s analysis. Although the Stored Communications Act was enacted in 1986, the provision introducing intermediate-scrutiny 2703(d) orders was not enacted until 1994. See H.R.Rep. No. 103–827, at 31–32 (1994), reprinted in 1994 U.S.C.A.A.N. 3489, 3511–12. The original 1986 Act allowed the government to obtain all non-content information with a subpoena, and it did not add the greater privacy protection of a 2703(d) order until eight years later. See id. I only point that out because answering whether there is a long tradition of public access to 2703(d) orders naturally leads the court to find a starting date for 2703(d) orders; the appropriate date presumably should be ’94 instead of ’86.

UPDATE: On second thought, I suppose the proper date may be 1986. Reviewing the original 1986 Act, I see that it did indeed include a provision for the 2703(d) authority: The standard for the order was raised in 1994, but the order did exist in 1986. Sorry for the confusion.

This issue arose in Juror Number One v. Superior Court, handed down yesterday by the California Court of Appeal, Third District. Because the facts of the case are likely to recur, and they involve a statute I have written a lot about, I thought I would blog my thoughts on the case.

The case involves an investigation into juror misconduct. Exactly what happened is kind of murky, but here’s what I can piece together. During a two-month trial, the jurors were told that they couldn’t discuss the case with anyone. Despite this, one of the jurors — call him “Juror Number One” — posted status updates during the trial that were somewhat related to the case. Juror Number One had “friended” some of the other jurors, and they had access to the status updates, too. The losing party in the trial later found out about the status updates, and somehow obtained copies of what it thought were a complete set of status updates. The trial judge held a hearing and determined that based on the known status updates, there was no prejudice to the trial from the messages. The problem was that no one knew if this was the complete set of status updates. There may have been other status updates that were prejudicial but that weren’t part of the set that the losing party had obtained.

Yesterday’s decision arose in the course of trying to find the complete set of status updates. The losing party at the trial issued two subpoenas to try to get full copies of the postings. The first subpoena was to Facebook, and the second was to Juror Number One. Facebook moved to quash the subpoena on grounds that the subpoena violated the Stored Communications Act, and instead told the judge that the losing party had to subpoena the juror directly. Juror Number One moved to quash the second subpoena on grounds that it was overbroad. The trial judge did not rule on the subpoena to Facebook but quashed the subpoena to the juror on overbreadth grounds. The trial judge then decided that the best way to proceed was to order the juror to sign a consent form that consented to Facebook disclosing the juror’s relevant posting to the judge for in camera review. The idea is that the juror will be forced to consent to Facebook disclosing all the updates, and then the judge can review the full set of updates independently to determine if they were prejudicial. Juror Number One has objected to this procedure and in this appeal is arguing (primarily) that the consent order violated the Stored Communications Act, 18 U.S.C. 2701-11.

In the opinion, the court ruled that the Stored Communications Act did not bar the consent order because the consent order is being served on the juror, not Facebook. Although the Stored Communications Act limits efforts to compel Facebook to disclose evidence, the opinion reasons, that is not what is happening here: The court is effectively compelling the juror to disclose evidence, not compelling Facebook to disclose evidence. Granted, the court is compelling the juror to disclose evidence by forcing the juror to consent to Facebook disclosing evidence, but that’s basically the same thing. In a concurring opinion, Judge Mauro notes that this is tough issue: The SCA bars the court from getting the information directly from Facebook, and here the court is trying to do indirectly what it cannot do directly.

This is a puzzling case, I think. First off, I think it’s probably the case that status updates are covered by the Stored Communications Act. It’s an awkward fit, but on the whole I think the best characterization is that Facebook provides remote computing services with respect to storing status updates for users. As a result, the SCA generally applies to efforts to obtain status updates from Facebook. The next question is whether this particular way to obtain information from Facebook is legal. This is somewhat complicated. On one hand, I suppose it’s true that ordering a person to sign a consent form does not directly violate the Stored Communications Act. The statute limits when the government can compel content from Facebook, and also when Facebook can voluntarily disclose content to either the government or private parties. But it does not directly control whether courts can compel consent forms to be signed.

The problem is that I don’t think the signed consent form has any legal effect under the statute. Without valid consent, Facebook is not permitted to disclose the status updates under 18 U.S.C. 2702. Consent allows Facebook to disclose the status updates if it chooses to, but does not require Facebook to do so. But here the court is compelling the juror to consent. It is a basic principle that compelled consent is not valid consent. You can’t put a gun to someone’s head, make them sign a consent form, and then hold up the consent form as valid. The court’s order strikes me as analogous to putting a gun to the juror’s head: The juror has to sign the consent form or else he will be held in civil or criminal contempt and possibly jailed. That’s not consent; it is compulsion. Because there is no voluntary consent, Facebook should not be allowed to disclose the status updates.

My sense, then, is that the trial court’s order is quite inappropriate. In effect, the court is trying to trick Facebook into inadvertently violating the SCA by making Facebook think that there is consent that allows Facebook to disclose the updates lawfully. If Facebook’s lawyers catch on, they will realize that this consent is invalid and should refuse to disclose the status updates to the court. But depending on how this is presented to Facebook, the folks at Facebook may not realize that the consent is invalid. Under the good-faith exception to civil liability, Facebook would probably escape civil liability in that situation. But the trial court should not be putting Facebook in this position anyway: Assuming that executing a scheme to have a party unknowingly violate the SCA violates the statute, then this would seem to violate the SCA. And even if executing such a scheme does not technically violate the statute directly, surely it is inappropriate for a judge to do such a thing.

What other options does the court have? The most obvious possibility is that the court should allow the losing party to subpoena the juror for all of the status updates during the relevant period that are relevant to the trial. The solution isn’t perfect. The juror might not comply with the subpoena, for example. But the Stored Communications Act limits compelled access to contents of communications directly from providers, and there does not appear to be an exception that applies here.

Thanks to How Appealing and co-blogger Eugene V. for the link.

The decision is Largent v. Reed (Pa. Common Pleas Nov. 8, 2011), and it involves a discovery request by the defendant in a civil case arising from a car accident. The defendant has filed a Motion to Compel Facebook Login Information in an effort to look through the plaintif’s account for evidence that she was exaggerating her injuries. Judge Walsh grants the request, ruling:

Plaintiff . . . must turn over her Facebook login information to Defense counsel within 14 days of the date of the attached Order. Defense counsel is allotted a 21-day window in which to inspect [Plaintiff]’s profile. After the window closes, Plaintiff may change her password to prevent any further access to her account by Defense counsel.

Judge Walsh spends pages 10-12 considering how the Stored Communications Act applies to this situation, and given that he relies on an article I wrote, let me offer a quick comment. Judge Walsh writes that the Stored Communications Act isn’t implicated because the defendant seeks information directly from the plaintiff. As a result, neither the defendant nor the plaintiff is a regulated entity (known as an “RCS” or an “ECS”) under the statute:

In this case, [Defendant] seeks the information directly from [Plaintiff]. The SCA does not apply because [Defendant] is not an entity regulated by the SCA. She is neither an RCS nor an ECS, and accessing Facebook or the Internet via a home computer, smartphone, laptop, or other means does not render her an RCS or ECS. See Kerr, 72 Geo. Wash. L. Rev, at 1214. She cannot claim the protection of the SCA, because that Act does not apply to her. “The SCA is not a catch-all statute designed to protect the privacy of stored Internet communications.” Id. Rather, it only applies to the enumerated entities. Largent being neither an ECS nor an RCS, the SCA does not protect her Facebook profile from discovery.

While it’s true that neither the plaintiff nor the defendant are regulated entities under the statute, Facebook clearly is. Facebook is an ECS provider in some ways and an RCS provider in other ways. As a result, the privacy of Facebook communications are protected by 18 U.S.C. 2701 of the Stored Communications Act, which protects ECS providers, in addition to 18 U.S.C. 1030, the Computer Fraud and Abuse Act, which protects all computers generally. Both of these statutes prohibit accessing electronic accounts without authorization or in excess of authorizaton. So while ordering the plaintiff to disclose her password to the defendant doesn’t itself violate the SCA or the CFAA, it’s at least an open question whether the defendant’s future act of accessing the plaintiff’s account might violate those statutes.

As with many questions of the CFAA (and related provisions of the SCA), it hinges on what “authorization” means. Here’s the question: If Facebook says that only the individual account holder can access the account; the individual account holder refuses to voluntarily disclose the password; and someone else accesses the account only because the account holder was forced by a judge to disclose the password, is the “someone else’s” access authorized or not? Put another way, what governs authorization: The views of Facebook and the views of the account holder, or the views of the trial judge who granted the discovery request? It’s not an easy question, creating a significant risk that granting the motion to compel invites the movant to commit a federal crime in the course of discovery.

There has been a lot of news coverage about the “subpoenas” served on Twitter for information about certain users relating to WikiLeaks. I gave an interview on the legal issues raised by investigation here to NPR’s Marketplace Tech Report (start around 1:45), and I wanted to offer a few more thoughts.

The “subpoenas” used in this case are actuallly 2703(d) orders, issued under 18 U.S.C. 2703(d), part of the Stored Communications Act. Section 2703(d) was enacted in 1994, and the idea was to add extra privacy protection to Internet account records beyond the usual subpoena protection afforded in criminal investigations. Under 2703(d), the government has to apply for the court order and prove “specific and articulable facts” that the information is relevant and material to a criminal investigation. This is less than a search warrant and more than a subpoena: It’s essentially the “Terry” standard, for those familiar with Fourth Amendment law. You can read all about the 2703(d) standard, and about the Stored Communications Act more generally, in A User’s Guide to the Stored Communications Act.

The interesting thing about the Twitter 2703(d) orders — as compared to 2703(d) orders in every other routine case — is that the orders in this case were made public after Twitter went to court to get them unsealed. Other than that, they’re standard orders that simply copy the model language used in DOJ’s computer search and seizure manual. Given that the orders used the model language, rather than tailor it to the specific information that Twitter has, there is likely to be some negotiation between Twitter and DOJ as to exactly what the lanuage means and what Twitter has to turn over. But based on the orders themselves, what is interesting is how standard this is. From what we know so far, it looks like these are the usual orders obtained in the usual way, much like any other computer crime case.

The Seventh Circuit decided an interesting Wiretap Act case today that was largely a replay of United States v. Councilman, the First Circuit case that I blogged about here a bunch of times back in 2004 to 2005. In the new case, United States v. Szymuszkiewicz (glad I don’t have to pronounce that one), the panel reached the right result. It agreed with the result of the en banc Councilman decision (if not its precise reasoning, given the curious narrowness of the Councilman decision) that it violates the Wiretap Act to go into someone else’s e-mail account and secretly program it to forward a copy of all of their e-mails to you.

After reaching the right result in this case, Judge Easterbrook then added some dicta in which he argued that other courts had misconstrued the Wiretap Act by imposing a requirement that the Wiretap Act only applies to “real-time” acqusiition and not one-time access to stored contents. Judge Easterbrook is a brilliant guy, but his dicta badly misunderstands the Wiretap Act. Fortunately, Easterbrook’s errors raise some conceptually interesting questions about what leads judges to misread statutes. In particular, I wanted to post on one aspect that is a recurring issue in statutory privacy law: Whether judges can overcome the blinders imposed by the remedial context of the case before them.

To understand the problem, let’s start with the basic structure of the statutory privacy laws. Such laws generally follow the following structure:

1) Anyone who intentionally does privacy-invading thing “X” commits a crime,
2) However, the government can do “X” if it has an appropriate court order based on a certain level of cause, and
3) Victims of “X” have a civil remedy against whoever does “X.”

Because of this structure, statutory privacy laws generally serve three distinct functions all at once: First, they impose criminal punishment for conduct that violates privacy interests (part 1 above); Second, they provide a civil remedy for victims against those who invade privacy interests (part 3 above); and Third, they enact a code of criminal procedure regulating law enforcement investigations by which the government can obtain court orders allowing them to invade privacy interests in appropriate cases (part 2 above).

This structure creates interpretive challenges for courts because judges often have very different instincts when interpreting criminal statutes, civil statutes, and codes of criminal procedure. Sound statutory interpretation requires understanding all of the remedial contexts, and how they work together: Otherwise a judge will confidently interpret the statute based on the assumptions of one remedies scheme in ways that are clearly mistaken (and create very odd result results) in the other contexts.

The civil cases interpreting the Computer Fraud and Abuse Act (18 U.S.C. 1030), which prohibits “unauthorized access” to a computer, demonstrate the problem. In civil cases, computer owners come in to court asking judges to stop people from using their computers in ways the owners don’t like: Judges are very sympathetic to the request, so they are very willing to say that conduct the owner doesn’t like is “unauthorized” and that the behavior has to stop. But the same statute is a criminal statute, too. As a result, the civil cases interpreting the law inadvertently end up criminalizing a great deal of innocent conduct. (The usual rule of interpretation is that precedents from one setting are equally applicable to another setting, so the civil cases apply in the criminal realm.)

This problem is a recurring issue when it comes to understanding how the Wiretap Act applies to the Internet. On one hand, the Wiretap Act is primarily a rule of criminal procedure: The scope of the Act is relevant to thousands of criminal investigations every year. In contrast, there are usually only about 20 criminal prosecutions for wiretapping every year. However, Congress did not include a statutory suppression remedy for violations of the Wiretap Act for computer communications. This creates a really warped dynamic that I explained in this law review article in 2004: Because there is no statutory suppression remedy, there are no cases applying the Wiretap Act in the usual context in which it arises (that of criminal investigations). Thus the scope of the Wiretap Act tends to get litigated in very unusual settings that make it unusually likely that courts will misconstrue the statute.

I think that explains Judge Easterbrook’s dicta in United States v. Szymuszkiewicz. In this part of the opinion, Easterbook has just held that assuming that that the Wiretap Act only applies to real-time monitoring — that is, acqusition contemporaneous with transmission — then the monitoring here was contemporaneous. He then adds that he thinks there is no such requirement in the statute, contrary to what several other circuits have held. Here’s the passage, with my paragraph breaks added:

Continue reading ‘The Perils of Interpreting Statutes With Multiple Remedial Schemes: A Comment on the Dicta in United States v. Szymuszkiewicz’ »

Richard Bejtlich thinks so. Bejtlich’s theory sounds plausible: I also thought it was odd that I’d never heard of the group until today. Further, although the group is supposed to include lots of “big names,” the only person on the list who I had heard of was Mark Rasch, a consultant and former DOJ lawyer (sometimes incorrectly called the former chief of the DOJ computer crime unit — I believe Mark left DOJ before the unit was formed). And even Rasch has allegedly been involved with the group for only a short time. I suspect we’ll know more soon. Stay tuned.

Thanks to commenter Steve P. for the link.

Salon’s Glenn Greenwald has an interesting post about a group called “Project Vigillant,” which it seems is some sort of volunteer private-sector group that tracks hackers (and perhaps other bad guys). I say “seems” because I’ve never heard of the group, and it’s not entirely clear what it does. But a report in Forbes includes the following claim by someone named Chet Uber, who apparently is the head of it:

Uber . . . says the 600-person “volunteer” organization functions as a government contractor bridging public and private sector security efforts. Its mission: to use a variety of intelligence-gathering efforts to help the government attribute hacking incidents. “Bad actors do bad things and you have to prove that they did them,” says Uber. “Attribution is the hardest problem in computer security.”

According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”

Greenwald’s coverage suggests that the group is in cahoots with the feds, and that it is conducting some sort of mass surveillance of lots of people and then handing over the leads to the federal government. If that is true — which remains unclear to me — then the legality of the project’s work strikes me as questionable. The Stored Communications Act (SCA), codified in relevant part at 18 U.S.C. 2702, generally protects the privacy of ISP records in the United States, including IP addresses, from voluntary disclosure. The question is, does Project Vigilant violate the SCA, and specifically, Section 2702?

There are a few exceptions to this rule in 18 U.S.C. 2702(c) that might apply to “Project Vigilant” — but then, they might not. The weakest rationale for the legality of the disclosure is the rationale offered in the story — that “the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs).” There is a consent provision in Section 2702, found in 2702(c) (2), but given that it mirrors the language of the Wiretap Act’s consent exception — and that exception requires actual notice, not constructive notice — I doubt a claim hidden in a EULA suffices to generate consent. As the First Circuit stated in United States v. Lanoue in interpreting the Wiretap Act’s analogous consent provision:

Keeping in mind that implied consent is not constructive consent but “ ‘consent in fact,’ ” consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance “ ‘from surrounding circumstances ․ that the [party] knowingly agreed to the surveillance.’ ”  Griggs-Ryan v. Smith, 904 F.2d 112, 116-17 (1st Cir.1990) (quoting Amen, 831 F.2d at 378) (emphasis supplied).   We emphasize that “consent should not casually be inferred,” Griggs-Ryan, 904 F.2d at 117, particularly in a case of deficient notice.   The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.

I don’t see how a term in a EULA no one actually reads can satisfy that standard.

Another exception is the exception permitting disclosure of non-content records to a non-government entity found in 2702(c)(6). It seems that Project Vigilant is formally a private sector group, but that raises a question that no cases have addressed: What sort of line does the Stored Communications Act draw between a private group and the government? Can a private group essentially launder data and give it to the government to get around the 2702 limitations on voluntary disclosure? I doubt it. Given that the SCA is essentially a statutory version of the Fourth Amendment, I would guess that the private/government line in the SCA is the same as the line drawn in Fourth Amendment law for when a private group becomes a state actor. The Supreme Court has never been entirely clear about what the standard is (circuit court tests vary somewhat), but the general idea, as stated in Skinner v. Railway Labor Executives’ Association, is that “[a]lthough the Fourth Amendment does not apply to a search or seizure, even an arbitrary one, effected by a private party on his own initiative, the Amendment protects against such intrusions if the private party acted as an instrument or agent of the Government.” Does “Project Vigilant” act as an agent of the government? It’s not clear, but if it does, I would think they cannot rely on the exception permitting disclosure to a non-government entity in 2702(c)(6).

There are two more exceptions that would apply only if the scope of “Project Vigilant” is much much narrower than the Forbes and Greenwald stories suggest. To make a long story short (or at least a long post slightly less long), ISPS can disclose records about actual computer intrusions. They can release records of the intrusion to protect their own network under 2703(c)(3), although the scope of the disclosure has to be tailored to the actual threat to the network. And they can disclose records of individuals who were not legitimate subscriber or customers, such as the hackers themselves, as the limit on disclosure only applies to the records of actual legitimate subscribers. So those disclosures are allowed, but they’re of a much more limited nature than the stories suggest.

If I had to guess, I would guess that “Project Vigilant” is a lot narrower than Uber’s quote suggests. Perhaps this was a bit of exaggeration to the press, or some poor reporting by Forbes (in general, reporters on the surveillance beat turn every story into Big Brother). But if Uber’s quote reflects the reality of what the “Project” does, its legality strikes me as questionable.