Archive | Stored Communications Act

No Public Right of Access to 2703(d) Orders in the Stored Communications Act

So holds the Fourth Circuit in an opinion by Judge Gregory. I would add just one minor tweak to the court’s analysis. Although the Stored Communications Act was enacted in 1986, the provision introducing intermediate-scrutiny 2703(d) orders was not enacted until 1994. See H.R.Rep. No. 103–827, at 31–32 (1994), reprinted in 1994 U.S.C.A.A.N. 3489, 3511–12. The original 1986 Act allowed the government to obtain all non-content information with a subpoena, and it did not add the greater privacy protection of a 2703(d) order until eight years later. See id. I only point that out because answering whether there is a long tradition of public access to 2703(d) orders naturally leads the court to find a starting date for 2703(d) orders; the appropriate date presumably should be ’94 instead of ’86.

UPDATE: On second thought, I suppose the proper date may be 1986. Reviewing the original 1986 Act, I see that it did indeed include a provision for the 2703(d) authority: The standard for the order was raised in 1994, but the order did exist in 1986. Sorry for the confusion. [...]

Continue Reading 0

Can A Judge Order Individuals to Consent to Facebook Disclosing Their Status Updates?

This issue arose in Juror Number One v. Superior Court, handed down yesterday by the California Court of Appeal, Third District. Because the facts of the case are likely to recur, and they involve a statute I have written a lot about, I thought I would blog my thoughts on the case.

The case involves an investigation into juror misconduct. Exactly what happened is kind of murky, but here’s what I can piece together. During a two-month trial, the jurors were told that they couldn’t discuss the case with anyone. Despite this, one of the jurors — call him “Juror Number One” — posted status updates during the trial that were somewhat related to the case. Juror Number One had “friended” some of the other jurors, and they had access to the status updates, too. The losing party in the trial later found out about the status updates, and somehow obtained copies of what it thought were a complete set of status updates. The trial judge held a hearing and determined that based on the known status updates, there was no prejudice to the trial from the messages. The problem was that no one knew if this was the complete set of status updates. There may have been other status updates that were prejudicial but that weren’t part of the set that the losing party had obtained.

Yesterday’s decision arose in the course of trying to find the complete set of status updates. The losing party at the trial issued two subpoenas to try to get full copies of the postings. The first subpoena was to Facebook, and the second was to Juror Number One. Facebook moved to quash the subpoena on grounds that the subpoena violated the Stored Communications Act, and instead told the judge that the losing [...]

Continue Reading 0

Judge Orders Plaintiff to Give Defendant Her Facebook Username and Password So Defendant Can Access Plaintiff’s Account As Part of Discovery

The decision is Largent v. Reed (Pa. Common Pleas Nov. 8, 2011), and it involves a discovery request by the defendant in a civil case arising from a car accident. The defendant has filed a Motion to Compel Facebook Login Information in an effort to look through the plaintif’s account for evidence that she was exaggerating her injuries. Judge Walsh grants the request, ruling:

Plaintiff . . . must turn over her Facebook login information to Defense counsel within 14 days of the date of the attached Order. Defense counsel is allotted a 21-day window in which to inspect [Plaintiff]’s profile. After the window closes, Plaintiff may change her password to prevent any further access to her account by Defense counsel.

Judge Walsh spends pages 10-12 considering how the Stored Communications Act applies to this situation, and given that he relies on an article I wrote, let me offer a quick comment. Judge Walsh writes that the Stored Communications Act isn’t implicated because the defendant seeks information directly from the plaintiff. As a result, neither the defendant nor the plaintiff is a regulated entity (known as an “RCS” or an “ECS”) under the statute:

In this case, [Defendant] seeks the information directly from [Plaintiff]. The SCA does not apply because [Defendant] is not an entity regulated by the SCA. She is neither an RCS nor an ECS, and accessing Facebook or the Internet via a home computer, smartphone, laptop, or other means does not render her an RCS or ECS. See Kerr, 72 Geo. Wash. L. Rev, at 1214. She cannot claim the protection of the SCA, because that Act does not apply to her. “The SCA is not a catch-all statute designed to protect the privacy of stored Internet communications.” Id. Rather, it only applies to the

Continue Reading 0

2703(d) Orders in the News — No, Really

There has been a lot of news coverage about the “subpoenas” served on Twitter for information about certain users relating to WikiLeaks. I gave an interview on the legal issues raised by investigation here to NPR’s Marketplace Tech Report (start around 1:45), and I wanted to offer a few more thoughts.

The “subpoenas” used in this case are actuallly 2703(d) orders, issued under 18 U.S.C. 2703(d), part of the Stored Communications Act. Section 2703(d) was enacted in 1994, and the idea was to add extra privacy protection to Internet account records beyond the usual subpoena protection afforded in criminal investigations. Under 2703(d), the government has to apply for the court order and prove “specific and articulable facts” that the information is relevant and material to a criminal investigation. This is less than a search warrant and more than a subpoena: It’s essentially the “Terry” standard, for those familiar with Fourth Amendment law. You can read all about the 2703(d) standard, and about the Stored Communications Act more generally, in A User’s Guide to the Stored Communications Act.

The interesting thing about the Twitter 2703(d) orders — as compared to 2703(d) orders in every other routine case — is that the orders in this case were made public after Twitter went to court to get them unsealed. Other than that, they’re standard orders that simply copy the model language used in DOJ’s computer search and seizure manual. Given that the orders used the model language, rather than tailor it to the specific information that Twitter has, there is likely to be some negotiation between Twitter and DOJ as to exactly what the lanuage means and what Twitter has to turn over. But based on the orders themselves, what is interesting is how standard this is. From what we [...]

Continue Reading 11

The Perils of Interpreting Statutes With Multiple Remedial Schemes: A Comment on the Dicta in United States v. Szymuszkiewicz

The Seventh Circuit decided an interesting Wiretap Act case today that was largely a replay of United States v. Councilman, the First Circuit case that I blogged about here a bunch of times back in 2004 to 2005. In the new case, United States v. Szymuszkiewicz (glad I don’t have to pronounce that one), the panel reached the right result. It agreed with the result of the en banc Councilman decision (if not its precise reasoning, given the curious narrowness of the Councilman decision) that it violates the Wiretap Act to go into someone else’s e-mail account and secretly program it to forward a copy of all of their e-mails to you.

After reaching the right result in this case, Judge Easterbrook then added some dicta in which he argued that other courts had misconstrued the Wiretap Act by imposing a requirement that the Wiretap Act only applies to “real-time” acqusiition and not one-time access to stored contents. Judge Easterbrook is a brilliant guy, but his dicta badly misunderstands the Wiretap Act. Fortunately, Easterbrook’s errors raise some conceptually interesting questions about what leads judges to misread statutes. In particular, I wanted to post on one aspect that is a recurring issue in statutory privacy law: Whether judges can overcome the blinders imposed by the remedial context of the case before them.

To understand the problem, let’s start with the basic structure of the statutory privacy laws. Such laws generally follow the following structure:

1) Anyone who intentionally does privacy-invading thing “X” commits a crime,
2) However, the government can do “X” if it has an appropriate court order based on a certain level of cause, and
3) Victims of “X” have a civil remedy against whoever does “X.”

Because of this structure, statutory privacy laws generally serve three distinct [...]

Continue Reading 33

Is “Project Vigilant” a Publicity Stunt?

Richard Bejtlich thinks so. Bejtlich’s theory sounds plausible: I also thought it was odd that I’d never heard of the group until today. Further, although the group is supposed to include lots of “big names,” the only person on the list who I had heard of was Mark Rasch, a consultant and former DOJ lawyer (sometimes incorrectly called the former chief of the DOJ computer crime unit — I believe Mark left DOJ before the unit was formed). And even Rasch has allegedly been involved with the group for only a short time. I suspect we’ll know more soon. Stay tuned.

Thanks to commenter Steve P. for the link. [...]

Continue Reading 15

What Is “Project Vigilant,” and Is It Violating the Law?

Salon’s Glenn Greenwald has an interesting post about a group called “Project Vigillant,” which it seems is some sort of volunteer private-sector group that tracks hackers (and perhaps other bad guys). I say “seems” because I’ve never heard of the group, and it’s not entirely clear what it does. But a report in Forbes includes the following claim by someone named Chet Uber, who apparently is the head of it:

Uber . . . says the 600-person “volunteer” organization functions as a government contractor bridging public and private sector security efforts. Its mission: to use a variety of intelligence-gathering efforts to help the government attribute hacking incidents. “Bad actors do bad things and you have to prove that they did them,” says Uber. “Attribution is the hardest problem in computer security.”

According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”

Greenwald’s coverage suggests that the group is in cahoots with the feds, and that it is conducting some sort of mass surveillance of lots of people and then handing over the leads to the federal government. If that is true — which remains unclear to me — then the legality of the project’s work strikes me as questionable. The Stored Communications Act (SCA), codified [...]

Continue Reading 25