Appeals Court Upholds Its Denial Of DOJ's Demand For Microsoft's Overseas Data

from the go-bother-some-legislators,-kid dept

After being handed a loss in its judicial quest to force Microsoft to hand over data held in Ireland, the DOJ asked the Second Circuit for a rehearing of its July decision. At the center of the case is the DOJ's belief that it should be able to force US companies to turn over data/communications contained in overseas servers.

The government wants to have it both ways with its warrants for electronic data. On one hand, it analogizes data demands as being no different than digging through a filing cabinet found in a house it's searching. It argues that data held in servers/devices should be treated no differently than the personal papers the founding fathers tried to protect with the Fourth Amendment.

Then it argues that even if the "filing cabinet" isn't located on the premises it has a warrant to search, it should be able to access the contents of that cabinet. This, from Microsoft's motion to dismiss, explains what the government is truly asking for, using the sort of physical world comparisons the DOJ understands.

The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad.

In its original decision, the Appeals Court pointed out that Congress clearly didn't intend the wording of the Stored Communications Act to cover foreign data centers, no matter what sort of twisted, hybrid paperwork the feds served Microsoft in hopes of routing around territorial limitations. The court noted, as it often does, that if the DOJ wanted its half-warrant/half-subpoena to both skirt mutual assistance treaties and the court's interpretation of the SCA, then it needed to approach Congress directly and get the SCA updated/amended.

And, indeed, the DOJ has done exactly that. It's seeking legislation specifically targeting the terroritorial limitations in the SCA that prevent it from doing what it wants to. But in the meantime, the DOJ thought the court should take another swing at it. The Second Circuit has decided to pass on this opportunity. But it has issued an affirmation [PDF] of its original ruling, with some additional dissenting voices appended.

An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.

Tuesday's 4-4 vote by the 2nd U.S. Circuit Court of Appeals in Manhattan let stand a July 14 decision that was seen as a victory for privacy advocates, and for technology companies offering cloud computing and other services worldwide.

But the dissenting judges said that decision by a three-judge panel could hamstring law enforcement, and called on the U.S. Supreme Court or Congress to reverse it.

"The panel majority's decision does not serve any serious, legitimate, or substantial privacy interest," Circuit Judge Jose Cabranes wrote in dissent.

The opinion doesn't tell the DOJ anything it didn't tell it previously, other than that the court is evenly divided. The decision reiterates points the DOJ didn't like the first time around. And, once again, it directs the DOJ's efforts at legislators, while also pointing out the dissent's similar willingness to interpret the law in ways Congress never intended.

The position of the government and the dissenters necessarily ignores situations in which the effects outside the United States are less readily dismissed, whichever label is chosen to describe the “focus” of the statute. For example, under the dissents’ reasoning (as we understand it), the SCA warrant is valid when (1) it is served in the United States on a branch office of an Irish service provider, (2) it seeks content stored in Ireland but accessible at the U.S. branch, (3) the account holding that content was opened and established in Ireland by an Irish citizen, (4) the disclosure demanded by the warrant would breach Irish law, and (5) U.S. law enforcement could request the content through the MLAT process. This hardly seems like a “domestic application” of the SCA.

Rather, we find it difficult to imagine that the Congress enacting the SCA envisioned such an application, much less that it would not constitute the type of extraterritorial application with which Morrison was concerned. Indeed, calling such an application “domestic” runs roughshod over the concerns that undergird the Supreme Court’s strong presumption against extraterritoriality, and suggests the flaw in an approach to the SCA that considers only disclosure.

The DOJ's flawed approach is also its most common approach. It seems genuinely baffled/irritated when its requests -- and its interpretation of the law -- are challenged. It views laws that don't allow it to do what it wants to do as broken. Rather than view limits in laws as guidance to help keep it aligned with Constitutional rights, it tends to do what it wants and let the courts sort it out.

Sure, the judicial process isn't exactly speedy, but it has better odds and a faster turnaround time than guiding legislation through multiple Congressional hoops. And it will continue to play the odds because not every service provider has the resources or legal acumen to fight back against unlawful demands.

Filed Under: data, doj, ireland, overseas, privacy, second circuit, subpoena, warrant
Companies: microsoft

Feds Gagged Encrypted Communications Firm Open Whisper Systems Over Massively Overbroad Subpoena

from the and-then-backed-down dept

This morning the ACLU announced that it had convinced the government to remove a ridiculous gag order on a subpoena that had been sent to Open Whisper Systems, the makers of the popular Signal encrypted messaging app, and whose encrypted communication protocol is used by many others, including WhatsApp, Facebook and Google for their encrypted messaging offerings. It's not that surprising that a grand jury would issue a subpoena to Open Whisper Systems demanding "subscriber name, address, telephone numbers, email addresses, method of payment, IP registration, IP history logs and addresses, account history, toll records, upstream and downstream providers, any associated accounts acquired through cookie data, and any other contact information from inception to the present" for certain accounts being investigated. But, of course, Open Whisper Systems has basically none of that data. It "complied" with the subpoena to the extent that it could, which is basically that the only information it has is when the account was created and the last time it was accessed: As Marcy Wheeler rightly points out, the request itself is way too broad, covering information that the government is not allowed to ask for under ECPA (Electronic Communications Privacy Act). But, it's not like the government feels it needs to follow its own laws anyway...

The really concerning part about this, however, is that the subpoena came with an unnecessary and likely unconstitutional gag order. The gag order was, at least, bounded. After years of the DOJ issuing gag orders with no end date, at least this one was limited to one year. However, as the ACLU pointed out, a gag order needs to meet a pretty high bar to get over the fairly large First Amendment hurdle. And this one did not do that:

A magistrate judge signed the gag order, citing “reason to believe that notification of the existence of the . . . subpoena will seriously jeopardize the investigation [under prosecution by the grand jury], including by giving targets an opportunity to flee or continue flight from prosecution, destroy or tamper with evidence, change patterns of behavior, or notify confederates.”

Of course, those risks could be real, and the government’s need for secrecy in law enforcement investigations cannot be dismissed outright. But that general interest applies in virtually every criminal investigation, including those involving the public execution of search warrants. To meet the stringent First Amendment standard, any gag must be justified by something much greater. The First Amendment requires that to close courtrooms or seal evidence—and especially to prohibit a party from speaking publicly on a matter of public concern—the government demonstrate a compelling interest in secrecy, and it must apply that secrecy in the narrowest possible way. But instead, the government appears to seek blanket gag orders by default, without considering precisely what information can be disclosed without harm to its interests.

Open Whisper Systems went to the ACLU. The ACLU reached out to the government with a friendlier version of "WTF?" -- and the government basically backed down immediately, more or less admitting that the gag order was bogus:

To its credit, the government quickly agreed with us that most of the information under seal could be publicly disclosed. But the fact that the government didn't put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it.

OWS immediately recognized that even though the government required some secrecy over the subpoena, it did not need, nor could it justify, total secrecy. So OWS came to us, and we went to the government, which agreed to reverse its original demand for secrecy—and now OWS’s customers and the broader public can see for themselves just how wildly overbroad the government’s gag order was from the jump. And while this—the only one ever received by OWS—is now public, there are many more like it, hiding in the filing cabinets in the U.S. attorney’s offices across the country.

Of course, this leaves the big open question implied by the ACLU's statement above: how many other companies have also received unconstitutional gag orders, and simply complied? The larger tech companies have gotten much better (in the post-Snowden era) of pushing back against such gag orders, but for smaller companies it's likely that many are just complying, because they don't have either the resources or knowledge that this kind of thing is not actually allowed.

Filed Under: 1st amendment, encrypted communications, encryption, gag order, signal, subpoena
Companies: aclu, open whisper systems

ACLU Challenges Gag Orders Issued To Tech Companies By The DOJ

from the hey,-we-notified-SOMEBODY...-that-counts-for-something dept

The ACLU is hoping to intervene in Microsoft's legal battle against the government, challenging gag orders attached to warrants and subpoenas issued under the Electronic Communications Privacy Act (ECPA). Microsoft sued the DOJ back in April, arguing for the right to notify customers that their communications and data have been handed over to the government.

Microsoft didn't have a problem with the government's gag orders in every case. It's just that the demand for secrecy accompanied more than half of the ~300 orders per month Microsoft receives. And nearly 70% of those gag orders arrived with no fixed end date.

The ACLU petitioned the court to intervene in the case on its own behalf, citing its position as a Microsoft customer. The DOJ filed a motion to dismiss Microsoft's lawsuit, hoping the court will find Microsoft has no standing to challenge gag orders on its customers' behalf. The ACLU is trying to prevent this from happening until the DOJ addresses the issues raised by the ACLU's (attempted) intervention. In its opposition [PDF] to the DOJ's motion, the ACLU points out that the government's "no standing" argument pretty much nullifies any sort of due process for Microsoft customers (including the ACLU) who've been targeted by the DOJ's super-secret warrants, relegating them to a Kafka-esque legal purgatory.

The government attempts to insulate its refusal to provide notice from judicial review, arguing that neither Microsoft nor the ACLU has standing to raise these important constitutional questions. By the government’s logic, Microsoft does not ever have standing to defend its customers’ right to notice, and Microsoft’s customers, including the ACLU, may not defend their own right to notice until after they receive the primary relief they would seek—that is, notice. In the government’s view, the only plaintiffs who have standing to sue for notice are those who have already gotten it, and those deprived of notice forever have no ability to seek a remedy at all. That is not the law.

The hope here is to not only find the open-ended gag orders unconstitutional, but also the law granting this secrecy -- the ECPA -- unconstitutional as well. The shift from physical "papers" to digital files was addressed by legislators in the worst way possible. The ECPA did away with the notification requirement attached to searches of physical places. When a home or business is searched, the owner or resident is served with a warrant. For electronic communications, a third party is approached. Legislators apparently felt as long as someone was notified, that was good enough -- even if that someone isn't the target of the search warrant.

That's basically the government's argument: notice is served to the site of intrusion. If the affected parties don't actually reside there (but their "papers" do), too bad.

The government’s argument conflates a historical anachronism with a constitutional principle. The government is correct that officers traditionally provided Fourth Amendment notice at the physical site of the intrusion. But that is so because, for the first 175 years of the Fourth Amendment’s application, it was understood to cover primarily physical trespasses. See Katz, 389 U.S. at 353. As a result, notice provided at the site of the intrusion was notice to the individual whose Fourth Amendment rights were at stake. It is no surprise, therefore, that Federal Rule of Criminal Procedure 41 reflects that historical context. Under Rule 41(f), an officer executing a warrant must “give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property.”

The ECPA is the DOJ's argument committed to paper. Notice only needs to be provided to the third party where communications and documents are held. To ensure the party whose documents/communications are being taken is kept out of the loop, the DOJ takes the wording of the law to heart and ignores the intent behind the Fourth Amendment protections granted to citizens.

The ECPA does not require the government to provide notice when it relies on a warrant, and so the government now routinely searches and seizes individuals’ electronic communications without providing any notice—delayed or otherwise—to those whose private information it has obtained. According to Microsoft’s Complaint, nearly half of the federal demands it has received under ECPA in the last eighteen months were accompanied by gag orders, the majority of which contained no time limit. Accordingly, a substantial portion of the individuals whose electronic communications the government demands from Microsoft receive no notice whatsoever, from either the government or Microsoft.

The law undercuts the Fourth Amendment by preventing those affected from challenging the lawfulness of the search or seeking redress through the judicial system for violations. Gag orders that run indefinitely allow the government to avoid being held accountable for any wrongdoing. In addition, the service of warrants to third parties is done without any meaningful oversight, putting the DOJ in the position of policing itself -- something it does with no particular enthusiasm or effectiveness.

Filed Under: doj, ecpa, gag order, standing, subpoena, surveillance, warrants
Companies: aclu, microsoft

DOJ Pushes Out Legislation Proposal To Undercut Microsoft Case Decision About Overseas Searches

from the please-please-please-let-us-get-what-we-want dept

No sooner had the ink dried on the Second Circuit Appeals Court decision regarding Microsoft and its overseas servers than new legislation designed to undercut the court's finding has been printed up by the DOJ and presented to the administration.

Microsoft successfully argued that the US government couldn't force it to unlock a server in Dublin, Ireland, so it could rummage around for evidence. Nor could the DOJ force the company to act on its behalf, performing a search of its overseas servers for documents the US government couldn't access otherwise.

Since that decision obviously just won't do, the DOJ has presented proposed legislation [PDF] that would alter existing Mutual Legal Assistance Treaties (MLATs) so the agency can do the very thing a court just said it couldn't do.

The details are discussed in, um, detail over at the Lawfare blog by none other than a former DOJ lawyer (David Kris). Needless to say, the post skews towards "supportive," but the analysis is thorough and offers some excellent insight on what the DOJ hopes to open up -- and what it's willing to concede in return for this new power.

The law would limit searches to communications from non-US citizens located abroad and only for criminal investigations. This would prevent the altered MLATs from being used by US agencies to gather intelligence, restricting them only to gathering evidence of criminal activity. That being said, for every concession made, there's a DOJ land grab.

The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3).

Of all the places to remove existing limits, the DOJ has chosen three of its most-abused laws/statutes. The Wiretap Act has been rendered toothless by the DEA's collusion with a judicial rubber stamp in California and used by the DOJ to push American telcos into doing its spying for it. The Stored Communications Act was just another (failed) angle of attack for the DOJ in its fight against Microsoft. And the Pen Register Act has been used as a cover for Stingray deployments by multiple law enforcement agencies, all with the tacit approval of the FBI, which still acts as a middleman in every IMSI catcher purchase by local PDs.

From there, the DOJ offers a melange of legal authorities to govern its searches of foreign servers.

The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2).

[...]

Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861.

[...]

Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirements—e.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement.

At first blush, these would seem to subject DOJ requests to multiple forms of oversight. But it most likely won't. The self-written loopholes allow for plenty of "search first, ask permission later" action.

Of course, the requirements are not exactly the same as those the Fourth Amendment would compel—for example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge.

On top of that, the folding in of FISA language allows the FBI, et al to interpret "criminal investigation" very loosely.

Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime.

So, despite saying the MLAT alterations would be limited to investigatory work, rather than intelligence gathering, the new agreements could be read as permitting both. And, despite restricting agencies from using foreign government to obtain data or communications they otherwise wouldn't be able to access, the proposal does allow these entities to provide US agencies with data and communications involving US persons. Sure, there are minimization procedures, but they're apparently tied to restrictions built into foreign governments' laws rather than our own, and auditing for abuses of this access is limited to a review every half-decade -- hardly the sort of thing that stops abuse in its tracks.

And the minimization procedures deployed by foreign governments when handing over info on US persons are tied to a bunch of exceptions -- the usual parade of horrors agencies use to justify intrusive surveillance.

[A] foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.”

So, it can't be used for anything not included on the "serious crimes" list, which doesn't leave much. There's not a whole lot of criminal activity that can't be squeezed into this laundry list. Moving violations? Jaywalking? Lord knows anything drug-related will still be considered "dangerous," even if most of the threat is composed of overreacting drug warriors lobbing flash bangs into cribs at 5 am.

Obviously, the DOJ wasn't just going to stand by and let the Second Circuit determine how it's going to operate. This bill may have been a long time in the works, but its public debut is impeccably timed.

Filed Under: doj, ireland, jurisdiction, legislation, subpoena, warrant
Companies: microsoft

Huge Win: Court Says Microsoft Does Not Need To Respond To US Warrant For Overseas Data

from the big-news dept

We've been following an important case for the past few years about whether or not the US can issue a warrant to an American company for data stored overseas. In this case, Microsoft refused to comply with the warrant for some information hosted in Ireland -- and two years ago a district court ruled against Microsoft and in favor of the US government. Thankfully, the 2nd Circuit appeals court today reversed that ruling and properly noted that US government warrants do not apply to overseas data. This is a hugely important case concerning the privacy and security of our data.

The key issue here is that the US government was basically on a fishing expedition for information hosted on Microsoft Outlook.com email servers. And there are a few really key issues, concerning jurisdiction, privacy and the all important difference between a subpoena and a warrant (something that many people seem to think are the same thing). Microsoft's own response to the lawsuit did a really good job explaining the issues and how the government wanted to pretend a warrant was a subpoena, and what that meant for the 4th Amendment:

The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.

It was unfortunate that two judges at the district court level basically ignored this argument, so it's good to see the appeals court shoot it down completely.

For the reasons that follow, we think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.

Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term “warrant” in the Act to require pre‐disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument’s territorial limitations and other constitutional requirements. The application of the Act that the government proposes ― interpreting “warrant” to require a service provider to retrieve material from beyond the borders of the United States ―would require us to disregard the presumption against extraterritoriality that the Supreme Court re‐stated and emphasized in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) and, just recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. __, 2016 WL 3369423 (June 20, 2016). We are not at liberty to do so.

In the full discussion, the court points out where the lower court went wrong, thinking that thanks to the PATRIOT Act, a warrant could apply to the location of the service provider rather than the location of the server. But the court says that's clearly wrong, and the Congressional record makes it pretty clear that it was looking to apply the law just to the United States. As for the idea that the warrant was really a subpoena in disguise, the court says that's not how it works:

Warrants and subpoenas are, and have long been, distinct legal instruments. Section 2703 of the SCA recognizes this distinction and, unsurprisingly, uses the “warrant” requirement to signal (and to provide) a greater level of protection to priority stored communications, and “subpoenas” to signal (and provide) a lesser level. 18 U.S.C. § 2703(a), (b)(1)(A). Section 2703 does not use the terms interchangeably. Id. Nor does it use the word “hybrid” to describe an SCA warrant. Indeed, § 2703 places priority stored communications entirely outside the reach of an SCA subpoena, absent compliance with the notice provisions. Id. The term “subpoena,” therefore, stands separately in the statute, as in ordinary usage, from the term “warrant.” We see no reasonable basis in the statute from which to infer that Congress used “warrant” to mean “subpoena.”

[....] We see no reason to believe that Congress intended to jettison the centuries of law requiring the issuance and performance of warrants in specified, domestic locations, or to replace the traditional warrant with a novel instrument of international application.

There is, of course, the further issue of Microsoft being a US company, but the court says that doesn't magically make its overseas data subject to these kinds of warrants, because the intent of the law is to protect the privacy of users' communications, not to make it easier for the government to snoop.

The reader will recall the SCA’s provisions regarding the production of electronic communication content: In sum, for priority stored communications, “a governmental entity may require the disclosure . . . of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure,” except (in certain cases) if notice is given to the user....

In our view, the most natural reading of this language in the context of the Act suggests a legislative focus on the privacy of stored communications. Warrants under § 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is undergirded by the Constitution’s protections of citizens’ privacy against unlawful searches and seizures. And more generally, § 2703’s warrant language appears in a statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key concern.

The overall effect is the embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government’s (and other third party) access to priority stored communications. The circumstances in which the communications have been stored serve as a proxy for the intensity of the user’s privacy interests, dictating the stringency of the procedural protection they receive—in particular whether the Act’s warrant provisions, subpoena provisions, or its § 2703(d) court order provisions govern a disclosure desired by the government. Accordingly, we think it fair to conclude based on the plain meaning of the text that the privacy of the stored communications is the “object[] of the statute’s solicitude,” and the focus of its provisions.

The court goes on at length arguing that the Stored Communications Act's default is that communication privacy must be protected, and the exceptions are narrow.

All three judges on the panel agreed, but one -- Judge Gerard Lynch -- wrote a concurrence that tries to undercut the strong 4th Amendment/privacy arguments in the overall opinion, basically noting that he believes the decision doesn't come down to 4th Amendment issues or privacy protection, but merely how Congress drew up the law in the Stored Communications Act -- and basically argues that if Congress doesn't like this result, it can just rewrite the law.

It's also important to note that Rule 41 is the underpinning of much of this case, and that's the rule that the courts recently agreed to change to allow the DOJ more power to simply hack overseas servers. That shouldn't directly impact this particular case or similar situations, but does show how the DOJ is looking for ways to create endruns around limitations on domestic laws to try to get international data.

Still, for now, this ruling is a surprisingly good one, reinforcing privacy protections in overseas data. Kudos to Microsoft for going to court over this when it would have been quite easy for it to just give in and hand over the data. I assume that the US government will seek to get this ruling overturned, either via an en banc hearing on the 2nd Circuit or going to the Supreme Court, so the case isn't over yet. But, as for right now, it's in a good position.

Filed Under: 2nd circuit, 4th amendment, communications, doj, ecpa, email, ireland, jurisdiction, privacy, sca, subpoena, warrant
Companies: microsoft

Homeland Security Has Not Sent Us A Subpoena

from the just-an-update dept

A couple weeks ago, we wrote about a phone call (and follow up emails) we received from Homeland Security indicating an interest in sending us a subpoena, asking for any identifying information we had on a commenter. That commenter had posted a (somewhat ridiculous) comment, in response to another story, about a guy who had nearly a quarter of a million dollars taken by him by Customs and Border Patrol (CBP) under civil asset forfeiture rules. The commenter, somewhat weirdly, suggested that the guy who had this money stolen might "know people" who could murder the agents who took the money. It was clearly not a threat. It was random idle speculation.

But, for whatever reason, the sister agency of CBP, called Homeland Security Investigations (HSI -- which was formerly Immigration and Customs Enforcement, or ICE), decided that it wanted to subpoena the information on the commenter. Through our lawyer, we noted that we had serious First Amendment concerns about the chilling effects this might have if even weird comments like that lead to federal law enforcement knocking on people's doors. We explained that we were happy to look over the details, but in the absence of more information suggesting a real and legitimate threat, we were inclined to resist complying with the subpoena to protect our users. We also noted that we were publishing the info on Techdirt at the time, given a similar situation with Reason's website came with an almost certainly unconstitutional gag order, and we wanted to explain what was happening prior to any similar order.

Some people have asked for an update on the situation and it's this: nothing has happened. We haven't received any subpoena at all. In fact, we've received no further communications at all from Homeland Security. It is possible that something is still coming, but we hope that the agents at HSI and anyone else involved with this have realized that this is not a worthwhile activity. We'll keep you updated, should anything change.

Filed Under: cbp, civil asset forfeiture, comments, dhs, first amendment, homeland security, subpoena

Mississippi Attorney General Jim Hood Withdraws Google Subpoena As Google Appeals Court Ruling

from the not-over-yet dept

Earlier this month, the Fifth Circuit appeals court tossed out the lawsuit that Google had filed against Mississippi Attorney General Jim Hood, following Hood's decision to send a subpoena that was written by the MPAA's lawyers, as part of a plan by the MPAA to pay money to get state Attorneys General to attack Google.

While some in the legacy copyright world painted the ruling in the Fifth Circuit as a "victory" for Jim Hood, and a loss for Google, anyone reading the details would recognize it was anything but that. The court made it pretty clear that Hood's subpoena was ridiculous and had no chance of surviving a judicial review... but dumped the case on a procedural issue, arguing that since Jim Hood had not yet taken any action concerning Google's unwillingness to respond to parts of the subpoena, there was nothing to dispute. Basically, the court said "wait until Hood actually tries to force you to do something... and then we'll tell him his subpoena is bogus."

Google has now asked the appeals court to reconsider throwing out the case, but also reveals an interesting tidbit in the footnotes: it appears that after the ruling, Hood withdrew the entire subpoena: If you can't read that, it says:

By letter of April 22, 2016, Hood withdrew the subpoena that Google had challenged.

That should be a pretty clear indication that this wasn't the victory some of the MPAA/Hood supporters have been claiming. Of course, Google does think it's entirely possible that Hood will issue an updated subpoena, which is part of the reason that it's asking the court to review the ruling. In a later footnote it points out that along with the withdrawal letter, Hood did warn them that the letter requiring Google to retain documents for possible litigation "remains in effect."

As for the meat of Google's petition, the company argues that the court was wrong to dump the entire lawsuit, pointing out that there were two claims in the original filing -- one for injunctive relief (i.e., blocking Hood from doing anything with the subpoena) and one for declaratory judgment (basically saying that the company was doing nothing wrong). The company says that the ruling tossing the lawsuit just referred to the injunctive relief question, not the declaratory judgment -- and further makes the argument that there was a real risk of Hood pursuing unconstitutional measures, meaning that a lawsuit for declaratory judgment is perfectly reasonable.

The panel directed the district court to dismiss the entire case as unripe because Google had not shown an “imminent threat of irreparable injury.” ... But that standard does not apply to Google’s claims for declaratory relief regarding threatened enforcement action. Under settled law, such claims “need cross only a low threshold; the Supreme Court requires no more than a ‘credible threat of prosecution,’ one that is not ‘chimerical,’ or ‘imaginary or speculative.’” .... Google met that standard. Accordingly, Google requests that the panel amend its decision to permit Google’s claims for declaratory relief regarding threatened enforcement action to proceed.

Of course, it's also possible that the court may argue that even if that's true, the whole thing is moot now that Hood has withdrawn the subpoena.

Google tries to address that as well, but I'm not convinced the court will buy it.

In addition to identifying specific conduct he deemed unlawful, Hood took concrete steps that reinforced the peril Google faces. He wrote the company’s outside counsel requesting that Google “preserve potentially relevant information that may be used as evidence in pending or reasonably foreseeable litigation.”... Hood gave a presentation to fellow attorneys general that detailed Google’s alleged wrongdoing, explained the elements of “Possible Causes of Action,” and offered theories to overcome Google’s anticipated defenses.

It's in this section that Google includes the footnote noting that Hood told the company that the preservation letter was still in effect, suggesting that he may still intend to go after Google.

Still, it looks like all the MPAA got for the hundreds of thousands of dollars it threw at this was making Mississippi's Attorney General look foolish, and showing just how far the MPAA will go to try to attack Google, rather than adapt to the internet.

Filed Under: 5th circuit, declaratory judgment, free speech, jim hood, mississippi, section 230, subpoena
Companies: google, mpaa

Judge Calls Out Prosecutors For Bogus Subpoena Gag Orders

from the it's-a-request,-not-a-demand dept

At long last, it appears some prosecutors will no longer be putting BS gag orders on their subpoenas. Eastern District of New York judge Raymond J. Dearie has expressed his displeasure with the language found on nearly all subpoenas issued by the Brooklyn, New York US Attorney's Office.

With the exception of National Security Letters, recipients of subpoenas are free to inform the targets of the documents as well as discuss them publicly. (The exception is financial institutions served in grand jury investigations related to fraud or drug trafficking.) But that doesn't stop prosecutors and investigators from adding misleading statements to their subpoenas. They can only ask recipients not to disclose anything. They can't demand it. That's called "prior restraint" -- something the government should be taking great care to avoid. But some still make it appear as though the recipient has no choice but to comply and shut up.

As was covered here earlier, Reason's website received a subpoena for information on its commenters. Included with the subpoena was a request that Reason not talk about it. Reason's attorneys understood it was only a request and went ahead and informed the commenters targeted by it. Most recipients won't do this because prosecutors either utilize deliberately vague wording (making it seem more like a demand than a request) or verbally suggest any disclosure could result in criminal charges for the recipient.

The latter tacic was deployed in the Reason case. When it informed the US Attorney's office that it would be making the subpoena public, AUSA Niketh Velamoor suggested the site was "coming close" to "interfering with a grand jury investigation."

Judge Dearie has gone after the US Attorney's Office in Brooklyn for basically doing the same thing. A subpoena related to a cocaine smuggling investigation issued to a law office contained the following words:

You are hereby directed not to disclose the existence of this subpoena, as it may impede an ongoing investigation.

No subtlety there. This is an order -- and an illegal one at that. The battle over that phrase resulted in the discovery of widespread abuse by the prosecutor's office.

The Gigliotti case suggests that this was not the first time that prosecutors in the Eastern District of New York made such a demand. “Policy was violated multiple times here,” Judge Raymond J. Dearie wrote last week in a ruling, “and it is apparent that such violations are not isolated to this case.”

The lawyers challenging the wording called it "blatantly improper." The judge called it a "violation." The office issuing the bogus wording called it something else: "inadvertent." (It agreed it was "improper," but refused to take responsibility for crafting the words it crafted.)

Prosecutors said they will fix this going forward, although they were vague enough on details that Dearie had more harsh words for them.

In a decision last week, Judge Dearie called the government’s response “disappointing” and “glib,” saying prosecutors did not outline the scope of the problem or how they would address it.

'“Now that the government is unambiguously on notice of this problem and the need to correct it, continued violations could well warrant severe remedies,” Judge Dearie wrote.

“The government proceeds at its peril.”

Most likely, the prosecutors will continue to issue verbiage that strongly suggests recipients keep their mouths shut. They're apparently going to put this wording on a separate piece of paper (rather than on the subpoena itself) from now on, as if that somehow changes the implicit severity of the misleading language.

While it is good to see the office called out for its bogus demands, little will change if it can regularly rely on the ignorance of subpoena recipients to maintain the secrecy it can't actually demand. The more foreboding the wording sounds, the more likely it is that these "requests" will be complied with. The most honest solution would be to remove the wording entirely, unless nondisclosure is stipulated by statute.

Filed Under: brooklyn attorney's office, gag order, raymond dearie, subpoena

Congress Still Fighting SEC's Investigation Of Alleged Insider Trading By Its Members

from the 'pretty-sure-we're-above-the-law,-judge' dept

Congress is once again declaring its willingness to hold everyone in the nation accountable for their actions, present party excepted.

Back in 2011, it was revealed that members of Congress were participating in insider trading. Spending a great deal of time conversing with lobbyists tends to result in the discussion of information that has yet to be made public. Legislators, being the opportunists they are, chose to buy and sell stock based on this insider info. Lobbyists -- also opportunists -- sometimes did the same thing. And it was all perfectly legal... at least for Congress.

This revelation did nothing to increase the public's goodwill towards its so-called "representatives." With its approval percentage (15%) sliding below that of Bernie Madoff's personal loan applications, Congress swiftly acted to close this loophole in the law.

Two years later, with everyone safely re-elected, Congress quietly excised the disclosure requirement in the new law, making it virtually impossible to verify whether or not it was actually playing by the rules it had made for itself. Predictably, it called the disclosure of such information a "national security risk."

Meanwhile, the SEC opened an investigation into Congressional insider trading related to health insurance companies. Congress refused to answer subpoenas or provide documents to the Commission. When ordered to by a federal judge, the House Ways and Means Committee gently explained that it could do whatever the fuck it wanted to.

The U.S. House Ways and Means Committee and a top staff member say the panel and its employees are "absolutely immune" from having to comply with subpoenas from a federal regulator in an insider-trading probe.

Two years later, Congress is still arguing that rules and laws are for people who can't write their own rules and laws. Judge Paul Gardephe didn't buy Congress' arguments that its conversations with lobbyists were so "privileged" they couldn't be examined by another federal agency. He also pointed out that the "immunity" it relied on was carved out by the very law they had passed to address insider trading a steep drop in approval ratings.

On November 13, U.S. District Judge Paul Gardephe agreed with most of the SEC’s claims and ordered Congress to comply with the subpoena within 10 days. “Members of Congress and congressional employees are not exempt from the insider trading prohibitions arising under the securities laws,” he wrote. Gardephe reminded the attorneys that “Congress barred such claims of immunity when it adopted” the STOCK Act.

Congress' top lawyer fought back, claiming certain, very specific words were missing from the STOCK Act and that legislators' immunity was still intact.

Kerry W. Kircher, the House general counsel, requested more time. Then, shortly before Thanksgiving, on November 25, he filed a motion to appeal the subpoena to the 2nd Circuit. Kircher argued that the STOCK Act did not explicitly authorize the SEC to issue subpoenas to Congress, even to investigate insider trading.

This may not result in the investigation being scuttled or the lawsuit being tossed, but it does buy Congress more time to figure out its next accountability-dodging move. Meanwhile, Congress members are doing what they can to ensure the battle the SEC is waging to at least hold them as accountable as their own STOCK Act promised they would, will be long, expensive and hopefully, ultimately fruitless. These efforts are also shady as hell.

Away from the spotlight, however, congressional leaders continue to fight enforcement and to shore up the target of the SEC inquiry. Rep. Pat Tiberi, R-Ohio, and Rep. Diane Black, R-Tenn., two lawmakers who served on the same committee as Sutter, have used PAC money to donate to the legal defense fund set up to defend him.

Campaign funding -- itself a toxic wasteland where morality and ideals go to die -- is being rerouted to keep Bruce Sutter, a former Ways and Means Committee member who allegedly passed on non-public Medicare reimbursement information to a lobbyist for law firm Greenberg Taurig. Not only will Congress members let nothing stand in the way of personally profiting from their time in office, they'll also apparently ensure those who previously got away with it will continue to elude being held accountable.

Filed Under: bruce sutter, congress, insider trading, investigation, sec, stock act, subpoena

FBI Sends Subpoena To Boing Boing Over Its Tor Exit Node, Gets Educated, Goes Away

from the well-that's-nice dept

There have been plenty of discussions on the possible "risks" of running a tor exit node, where clueless law enforcement might confuse traffic that comes out of that node as being from the person who actually manages the node. And, indeed, last year we wrote about an absolutely ridiculous case in which a tor exit node operator in Austria was found guilty as an "accomplice" because someone used his node to commit a crime. Thankfully, it appears that the US isn't going quite down that road yet. It appears that a month and a half ago, of all places, the website Boing Boing received a subpoena concerning the tor exit node that the site hosts, demanding an appearance before a federal grand jury in New Jersey.

Except, Boing Boing's lawyer, Lauren Gelman, quickly shot off a note explaining "tor exit node" to the FBI... and the FBI understood what was going on and moved on. Really. Here's the note that Gellman sent:

Special Agent XXXXXX.

I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).

The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.

I would be happy to discuss this further with you if you have any questions.

They didn't have any questions. They understood the situation and (one assumes) continued the investigation through other means. As Cory Docotorow writes:

The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury.

We write plenty of stories about "clueless" law enforcement and politicians overreacting to things by not understanding the technology. Because that's newsworthy. But it is worthwhile, every once in a while, to remember that there are some in these jobs who do understand technology and are perfectly willing to understand what is happening and continue to do their jobs without going overboard.

And, as Cory notes, perhaps this story of nothing actually happening will be useful in convincing a few more people that maybe the "risks" of running a tor exit node aren't quite as high as some have made them out to be. Yes, you may receive a subpoena, but hopefully it's from law enforcement willing to understand how tor actually works and what it means.

Filed Under: fbi, subpoena, tor, tor exit node
Companies: boing boing