6th Circuit declines to extend Warshak reasoning to P2P

In a recent unpublished opinion, the Sixth Circuit held that its 2010 opinion in Warshak should not be extended to provide a reasonable expectation of privacy for users sharing files over Limewire. United States v. Conner, No. 12-3210 (6th Cir. 2013).

The defendant was convicted of receipt and possession of child pornography after law enforcement tracked the sharing of child pornography images on Limewire to him. A sheriff's deputy had searched for file names associated with child pornography, and found the defendant's IP address sharing them over the peer-to-peer (P2P) network.

On appeal, the defendant argued that the Sixth Circuit's decision in United States v. Warshak made the "search" of his computer a violation of the Fourth Amendment. In Warshak, the Sixth held that it was a violation of the Fourth Amendment for the government to compel Warshak's ISP to produce his emails without obtaining a search warrant with a showing of probable cause. The e-mails were obtained under the Stored Communications Act, which the Sixth Circuit therefore declared unconstitutional as it relates to this issue.

As for the search conducted on Limewire in the present case, however, the Sixth didn't buy the defendant's argument. The issue was whether P2P sharing "is different in kind from e-mail," and the court decided it was:

Unlike these forms of communication, in which third parties have incidental access to the content of messages, computer programs like LimeWire are expressly designed to make files on a computer available for download by the public, including law enforcement. Peer-to-peer software users are not mere intermediaries, but the intended recipients of these files.

The defendant attempted to argue that he did not know the files would be publicly available, but the court also found that the record proved otherwise. He had made multiple attempts to keep the files private, but the court held that the failure only showed he was "ineffective at keeping [them] ... from being detected" and not that "he was unaware of a risk of being discovered."

Read More

House holds hearing on ECPA revisions, new Senate bill seeks to require probable cause for content

If you missed yesterday's House hearing on the Electronic Communications Privacy Act, the testimony is available here by video and here by written testimony. Witnesses included Elana Tyrangiel (DOJ), Orin Kerr (GW Law), Richard Littlehale (Tenn. Bureau of Investigation), and Richard P. Salgado (Google).

Here's a brief summary of each witness's testimony:

• Tyrangiel - The 180-day rule under the ECPA should be abolished, and opened emails should not be treated differently from those which are unopened. Also, addressing information in e-mails should be available with a subpoena similar to that of telephone calls. The standard for 2703(d) orders should be clarified (must a court issue the order with specific and articulable facts or can probable cause be required?). "It is important that any proposed changes to ECPA take into account the ability of civil regulators and litigators to compel disclosure of information from providers."
• Kerr - Outlined five problems with the statute, including the 180-day rule, the fact that there is no protection for search engine requests, the uncertain scope of warrant requirements (through court opinions like Theofel and Jennings), the statute's failure to satisfy the Fourth Amendment, and the need for particularity, minimization, and non-disclosure rules.
• Littlehale - Carriers should be required to keep all communications for one year. "There can be no question that some of that information holds the keys to finding an abducted child, apprehending a dangerous fugitive, or preventing a terrorist attack." Any attempt to require probable cause "should be accompanied by provisions that ensure accountability and prompt response by service providers."
• Salgado - ECPA should be updated, abolishing the 180-day rule and adopting Warshak's warrant requirement for e-mail content.

Also in ECPA news yesterday, Senators Patrick Leahy (D) and Mike Lee (R) filed legislation to update the statute, abolishing the 180-day rule, requiring probable cause to obtain content, and ordering notification to individuals within 10 days of disclosure.

Read More

Fifth Circuit surprises no one with decision that accessing another's text messages on their cell phone doesn't violate SCA

In Garcia v. City of Loredo, Texas, No. 11-41118 (5th Cir. 2012), the Fifth Circuit held that a person accessing text messages and images on the cell phone of another does not violate the Stored Communications Act (SCA). Those of you who have ever studied the SCA are certainly not surprised.

Garcia worked as a police dispatcher, and the wife of a coworker took Garcia's phone from her locker at work. After finding text messages and photos that showed department policy violations, the coworker's wife set up a meeting with the deputy assistant city manager and the interim police chief. The images and texts were shown, the videos were copied off of the phone, and Garcia was fired. Garcia later filed suit, and summary judgement was granted with regard to her SCA claim.

Her argument before the Fifth Circuit was that her cell phone was a "'facility' in which electronic communication is kept in electronic storage in the form of text messages and pictures stored on the cell phone." The Fifth cited a variety of district court cases, a law journal article by Professor Kerr, and the legislative history to back up its holding that devices such as cell phones are not facilities under the act.

The court also held that even if the cell phone was a "facility," the text messages and images certainly do not fit into the SCA's definition of "electronic storage." A common sense definition might make one think that would be the case, but we are, of course, dealing with statutes. Under the SCA, data is only in electronic storage when it "has been stored by an electronic communication service provider." If you want to know what that means, click here.

Thus, the Fifth affirmed the district court's grant of summary judgment, dismissing Garcia's SCA claim.

Read More

Mass. trial court finds obtaining one day of CSLI without cause to violate the Mass. Constitution

In Commonwealth v. Wyatt, 30 Mass. L. Rep. 270 (Mass. Sup. Ct. 2012), the Superior Court of Massachusetts held that obtaining cell site location information (CSLI) without a showing of cause (the court did not specify if probable cause was a requirement) was a violation of the Massachusetts Constitution. As a result of this finding, the defendants' motions to suppress were granted.

As part of a murder investigation, law enforcement acquired nine 2703(d) orders covering five different cell phone companies and eighteen phone numbers seeking subscriber information and call records for a near two-month period and CSLI for one day. Officers later admitted they did not have probable cause to acquire this information. The four defendants filed a motion to suppress their historical CSLI .

The court began by discussing the similarities of cell phones and a GPS device, noting that "CSLI enables a cellular telephone to be treated as a de facto Global Positioning System (GPS) tracking device." As such, they conducted an evaluation of a state high court opinion in Connolly (holding that installation of a GPS device on a vehicle is a seizure) and the Supreme Court's opinion in Jones.

Next, the court applied the expectation of privacy test to the use of CSLI. Because "[i]t is unlikely that the average cellular telephone user knows that when he or she makes or receives a call or a text message, the service provider creates and maintains a record of the cellular telephone’s location," the defendants had a subjective expectation of privacy in the cell records.

As to an objective expectation of privacy, the court held:

Allowing the government to track our movements without evidence that the person whose CSLI is sought engaged in criminal activity compromises what it means to be a citizen of the United States of America free from arbitrary surveillance.... 

Allowing the government to track a citizen’s movement through CSLI, without requiring the government to show probable cause or even reasonable suspicion that the target is engaged in criminal activity is contrary to the very freedom we hold dear.

Thus, the defendant's motion to suppress their cell site location information was granted.

Cybercrime Review blogger Justin Webb contributed to this post.

Read More

Hushmail provides unencrypted e-mails to feds; practice raises interesting legal questions

In a Second Circuit case (United States v. Gonzalez, 686 F.3d 122 (2d Cir. 2012)) released earlier this year, evidence was presented at trial that had been e-mailed through Hushmail, a secure e-mail service used by "millions of people and thousands of businesses." Hushmail's website claims that they "encrypt your message automatically before it is sent, and then restore it back to its original form when the recipient reads it."

The issue that immediately came to my mind was the fact that Hushmail provided not only the communications but they were able to unencrypt them first. Here's the court's description of the evidence:

The government also introduced into evidence numerous emails sent from the address "biotechresearch@hush.com" — which Gonzalez admitted was his — through "Hushmail," an encrypted email service provider that encoded email messages, permitting them to be accessed and read only by someone who had the encryption key. The emails introduced at trial by the government, decoded by Hushmail, included the following..."

This isn't the first time Hushmail has done this. In 2007, Threat Level explained the security issues and how Hushmail is able to provide an unencrypted copy of a user's e-mails.

In recent years, several courts have evaluated whether the government can force an individual to provide an encryption key for electronic files. Courts have ruled on both sides of this popular Fifth Amendment issue. Perhaps an interesting extension of that debate is whether a person's agent (that word choice may be a stretch) - their e-mail provider - can be forced to provide an unencrypted copy of e-mails or whether they may only provide the scrambled versions. Another interesting issue is how we would define communications required to be disclosed under provisions of the Stored Communications Act.

Hush Communications' CEO, Ben Cutler, responded to my inquiry about their disclosure policy:

Our policy is to only release user information if we receive an order enforceable in British Columbia Canada requiring that we do so. British Columbia, Canada is the jurisdiction where our servers and operations are located. The order must be for a specific user account. In the case where authorities in the US are seeking information on one of our users they would have to make an MLAT request to the Canadian Department of Justice, which if successful would result in an enforceable order being issued here in Canada.

As may be obvious, I don't really claim to have answers to these issues, but I feel they are interesting to think about. Please feel free to comment below with your thoughts.

Read More

Kansas magistrate adopts Warshak, strikes down warrant applications for not meeting particularity requirements

In In re Applications for Search Warrants, No. 12-MJ-8119-DJW (D. Kan. 2012), a magistrate judge adopted the Sixth Circuit's Warshak view that electronic communications are subject to a reasonable expectation of privacy and held that search warrants for such information should be sufficiently limited to the relevant crime(s) and should address limits for reviewing the data.

The government had applied for two search warrants to obtain electronic communications from Yahoo! and UnityFax. In the application, they alleged that the account holder had been spamming individuals in an attempt to defraud them.

In deciding whether the Fourth Amendment applies to electronic communications, the judge relied heavily on the Sixth Circuit's decision in Warshak (Kansas is in the Tenth Circuit).

The Court finds the rationale set forth in Warshak persuasive and therefore holds that an individual has a reasonable expectation of privacy in emails or faxes stored with, sent to, or received thorough an electronic communications service provider. Accordingly, the Fourth Amendment protections, including a warrant "particularly describing" the places to be searched and communications to be seized, apply to a search warrant seeking such communications.

But here, of course, the government was already seeking the communications by a search warrant (under
18 U.S.C. § 2701(b)(1)(A) & (c)(1)(A)), rather than a 2703(d) Order. The court found that the applications did not meet the particularity requirements of the Fourth Amendment.

First, the judge found that a warrant ordering disclosure of "all email or fax communications" was "too broad and too general." The requests must "limit the universe" to information related to "the specific crimes being investigated." Second, the applications "fail to set out any limits on the government's review of the potentially large amount of electronic communications."

The Court finds the breadth of the information sought by the government's search warrant for the either the fax or email account—including the content of every email or fax sent to or from the accounts—is best analogized to a warrant asking the post office to provide copies of all mail ever sent by or delivered to a certain address so that the government can open and read all the mail to find out whether it constitutes fruits, evidence or instrumentality of a crime. The Fourth Amendment would not allow such a warrant.

The judge's suggestions for alleviating these issues included limiting the search to keywords or communications between certain individuals or to appoint a special master or filter group to review the information.

Read More

Arkansas Supreme Court upholds murder conviction over argument that text messages were improperly obtained by a prosecutor's subpoena

In Gulley v. State, 2012 Ark. 368 (Ark. 2012), the Supreme Court of Arkansas held that the defendant's argument that text messages obtained by a prosecutor's subpoena violated the federal Stored Communications Act and Fourth Amendment would not be considered because the objection was not made at trial, and the defendant did not argue on appeal that the prosecutor had abused the subpoena power.

The defendant had been convicted and sentenced for capital murder and attempted capital murder, and three text messages were presented at trial which had been obtained through a prosecutor's subpoena. One included that the victim's child is "going to be left without any parents," and another containing "dat b**** gonna pay, it's just a matter of time." At trial, counsel argued:

DEFENSE COUNSEL: If I send a text message out it is digitally transmitted through the air wave just like a telephone call is. There is no difference. The fact that they maintained it and printed it out is what the difference is but there is a reasonable expectation of privacy. It may have been subject to a warrant but not to a subpoena.
. . .
DEFENSE COUNSEL: You do not expect the telephone company is going to take it upon themselves to give it to a third party based on a subpoena. It has to be probable cause to get it not just carte blanche you issue a subpoena and go get it. That is what happened here. It may otherwise be something that could be used if a Judge says it but not by a Prosecutor just exercising its own subpoena. 

PROSECUTOR: I respectfully disagree, Your Honor, with regard to the Prosecutor's subpoena. Like I say, it is just like a grand jury, it's a quasi-magisterial function and it is a power that is conferred upon the office of the Prosecuting Attorney, same as grand jury in the State of Arkansas.

The judge denied the motion, finding that there could not be an expectation of privacy because the messages "can be picked up by a scanner with the proper device." Defense counsel also argued the messages should not be admitted on the basis of relevancy, juror confusion, hearsay, and rule 403. The court limited admission to three text messages.

On appeal, the defendant argued that the use of the subpoena to acquire the text messages violated the SCA and the Fourth Amendment. However, because he did not make an SCA-related objection at trial and did not argue on appeal that the prosecutor abused the subpoena power, the court refused to consider the issue.

The defendant also appealed the admission of the messages as evidence, arguing they were hearsay and not properly authenticated. The supreme court disagreed on both issues.

Read More

South Carolina Supreme Court finds no SCA protection for read e-mails left in user's account

In Jennings v. Jennings, No. 27177 (S.C. 2012), the South Carolina Supreme Court held that e-mails simply left in a user's account after being read are not in "electronic storage" and thus not protected by the federal Stored Communications Act (SCA). The statute, enacted in 1986, addresses unlawful access to stored communications and prescribes criminal and civil penalties for such access.

The alleged SCA violation arose after Mrs. Jennings discovered that her husband had been having an affair. A friend obtained access to Mr. Jennings's personal e-mail account by guessing the answers to his security questions and printed e-mails between Jennings and his paramour. He filed suit alleging a violation of the SCA, and the lower court granted summary judgment to the defendants. The South Carolina Court of Appeals reversed, holding that the e-mails were in "electronic storage." Jennings appealed to the state supreme court.

At issue on appeal was whether the e-mails were in electronic storage. The court of appeals had held they were because they "were stored for 'purposes of backup protection,'" relying on the Ninth Circuit's Theofel case (which found that leaving an e-mail on the server was electronic storage). However, the supreme court disagreed. 

We decline to hold that retaining an opened email constitutes storing it for backup protection under the Act.  The ordinary meaning of the word "backup" is "one that serves as a substitute or support."

Therefore, because the e-mails were not protected by the SCA, the statute does not provide a remedy for Jennings. The court emphasized, however, that their decision "should in no way be read as condoning [such] ... behavior."

Under the SCA, "electronic storage" is defined as:

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

Many courts have determined that e-mails may be protected if they fit into either subsection A or B, despite the use of the word "and" between them. The majority opted not to decide the issue, noting that "[w]hatever doesn't make any difference, doesn't matter," but the chief justice argued that both are required in a concurring opinion. The distinction matters because if both are required, once "the recipient opens [an] e-mail, ... [it] is no longer in electronic storage."

Read More

EFF files amicus in D.C. Circuit Court against use of CSLI in remanded Jones case

Back in April, Jeffrey wrote that Antoine Jones wasn't off the hook for his crimes because of the ruling in United States v. Jones, 132 S. Ct. 945 (2012). Rather, instead of using the GPS tracking data they had collected (illegally), the police decided to use Cell Site Location Information (CSLI). Jeffrey's previous article can be found here - Jones II: This time, the government seeks to use cell site location information.  If you're looking to read more on the subject, we have additional content that can be found, here.

On Monday, the Electronic Frontier Foundation filed an amicus brief in favor of Antoine Jones, arguing that six months worth of CSLI should not be obtainable without a warrant. The EFF drew parallels between this situation and the GPS tracking that occurred in the original instance. Additionally, the EFF forwards an argument in the brief that could not be used in the context of GPS tracking - that CSLI could actually provide information about occurrences inside the home. This is important because courts have tended to give the most Fourth Amendment protection to the confines of a private home - see, for example, Karo or Kyllo.

The EFF's brief also addresses third-party doctrine, the Stored Communications Act, and even CALEA.

The brief can be found here: BRIEF AMICI CURIAE OF THE ELECTRONIC FRONTIER FOUNDATION AND CENTER FOR DEMOCRACY & TECHNOLOGY IN SUPPORT OF DEFENDANT ANTOINE JONES’ MOTION TO SUPPRESS CELL SITE DATA


The EFF also has a story, here: Government Faces New Warrantless Surveillance Battle After Losing Landmark GPS Tracking Case

Read More

Facebooking juror fails in asserting SCA claim after forced disclosure of trial-related posts

A California juror recently posted to Facebook about the trial while it was in progress. Upon learning of the act, the juror was required to consent to the court's review in camera of his Facebook postings. He argued that the order violated the Stored Communications Act, but the Court of Appeals of California disagreed (Juror No. One v. The Sup. Court of Sacramento Cnty., No. C067309, (Cal. Ct. App. 2012)).

After trial, one of the jurors told the court that another had posted comments to Facebook about the evidence in the case. That juror had not seen the comments during the trial, but another juror had "liked" one of the posts. The juror-author admitted he posted during the trial, but said the content had nothing to do with evidence. One of the parties in the case attempted to subpoena the juror's Facebook records, but Facebook refused to disclose, citing the SCA. The court later ordered the juror to provide the postings himself.

On appeal, the court held:

Juror Number One has provided this court with nothing, either by way of the petition or the supporting documentation, as to the general nature or specific operations of Facebook. Without such facts, we are unable to determine whether or to what extent the SCA is applicable to the information at issue in this case. For example, we have no information as to the terms of any agreement between Facebook and Juror Number One that might provide for a waiver of privacy rights in exchange for free social networking services. Nor do we have any information about how widely Juror Number One's posts are available to the public. 

But even assuming Juror Number One's Facebook postings are protected by the SCA, that protection applies only as to attempts by the court or real parties in interest to compel Facebook to disclose the requested information. Here, the compulsion is on Juror Number One, not Facebook.

The defendant also suggested that the order violated the Fourth and Fifth Amendments but did not actually present an argument or citation to support the theories.

Read More

What type of process is required for a cell tower dump?

I was recently in a discussion concerning the type of process needed for law enforcement to obtain a tower dump from a service provider. A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time. Beyond this list, law enforcement could also request customer information, allowing them to match the cell numbers with a specific customer's name, address, and other account information.

Under the Stored Communications Act (SCA), information can be obtained from phone companies (and other service providers) by use of a subpoena, 2703(d) order, or search warrant, depending on the type of data requested. For example, a subpoena can be used to obtain basic subscriber information. However, account logs and transactional records require a 2703(d) order - which requires specific and articulable facts to believe the records are relevant to an ongoing criminal investigation.

So the question to my readers is this - what type of process is required for a tower dump? We're just curious as to how easily phone companies are giving the information away. The specific and articulable facts standard seems too high for a tower dump, but a subpoena doesn't exactly seem sufficient. Or does a tower dump even fit under the SCA since that report alone only gives away phone numbers and not account information? Please leave a comment to this article if you have any ideas.

After a quick search, I was only able to find one reported case that mentions tower dumps - Jackson v. State, 716 S.E.2d 188 (Ga. 2011). In that case, police had obtained the defendant's cell number from a tower dump following a series of crimes. This, of course, only showed the defendant was in the area of the crime. On appeal, Jackson argued that the records are "not sufficient corroborating evidence as they only establish where his cell phone was at the time of the crimes, and not where he was, since he may have let a friend borrow his phone." The Georgia Supreme Court upheld the use of the records. Unfortunately, proper process was not an issue in that case.

Last month, the ACLU released a report on the use of cell site data by law enforcement. Click here for my earlier post.

Read More

ACLU releases report on cell site data use by law enforcement

The American Civil Liberties Union recently released a report on the use of cell site data information by law enforcement agencies around the country. The group examined whether the surveyed agencies used CSLI, the standard (probable cause or less) by which they obtained it, and which used specific practices (such as getting the phone company to release a list of all phone numbers connected to a certain tower at a given time (called a "tower dump")).

Also included are the public records requests for each agency that has responded, easily accessible by map. Those documents reveal prices charged by phone companies for each type of request. According to documents obtained from the Tucson Police Department, the following are examples of charges:

• Tower Dump from Alltel - $500
• Tower Dump and Subscriber Information from T-Mobile - $150/tower/hr
• E911 Tracking from AT&T - $100 activation, $25/day

Read More

Jones II: This time, the government seeks to use cell site location information

Remember United States v. Jones, the ground-breaking decision from the Supreme Court in January? For those of you who haven't heard, it's the case where the justices held that the installation and use of GPS is a Fourth Amendment search and requires a warrant (read more here). The case is now being retried, and the government is seeking to use cell site location information (CSLI) to prove the same facts as the GPS data.

Poor Antoine Jones. This guy just can't catch a break. Of course, his lawyer has filed a motion to suppress the CSLI just like the GPS data. "In this case, the government seeks to do with cell site data what it cannot do with the suppressed GPS data," argues Jones in the new filing.

During the government's investigation, they placed the GPS device to track Jones and obtained information from his phone company, the latter under a 2703(d) Order. A total of four months of CSLI was obtained, significantly more than the 28 days he was tracked with GPS (an amount of time the concurring justices found significant). However, only the GPS data was used at trial so the appellate courts were never able to directly address the CSLI.

Despite not having the issue before them, that didn't stop five justices from discussing the larger issue - as Sotmayor put it - "whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on."

Courts began to deal with CSLI about five years ago, and as they were with GPS data, the courts are fractured. A distinction, however, is that some courts have deemed a 2703(d) order under the Stored Communications Act sufficient for CSLI (see, e.g., 620 F.3d 304 (3rd Cir. 2010)), but others require a warrant (see, e.g., 809 F. Supp. 2d 113 (E.D.N.Y. 2011)).

Read More

Ill. court reverses summary judgment grant in SCA case

An Illinois woman recently argued that her former employer violated the Stored Communications Act after they accessed her personal e-mail account. (Borchers v. Franciscan Tertiary the Sacred Heart, 2011 IL App 2d 101257 (Ill. App. Ct. 2012)). Two accounts were accessible on her computer - her personal and work e-mail, and the former employer connected to the personal account and printed 36 of the e-mails.

The trial court entered summary judgment. Not, as you might expect, for the plaintiff but instead for the employer, "finding that the plaintiff had not produced sufficient evidence that the defendants acted intentionally."

As the Appellate Court of Illinois noted, intent "may be gleaned from circumstances and actions, not simply words." The employee who searched the account testified that she thought the account was the plaintiff's work e-mail. Despite that, she printed 36 e-mails that were clearly personal and had subject lines such as "Re: mom." It's also worth mentioning that the defendants were aware that the plaintiff had filed a sexual harassment lawsuit against them, and these printed e-mails were used in their response. Here's some good language from the court:

The fact that Maxwell knew of the plaintiff's sexual harassment charges against her employer is also relevant to the issue of intent: conduct is "more likely to be intentional when it serves a party's self-interest to engage in such conduct." ... And, although the initial accessing of the AOL account could be viewed as innocent if Maxwell had immediately logged out of the account once she had seen that the in-box contained material not clearly related to work, that is not what happened here. Maxwell deliberately chose to click additional times to travel from the first screen she viewed, the in-box, to the portion of the AOL account displaying e-mails that the plaintiff had sent, actions that could be viewed as additional acts of "accessing" the plaintiff's e-mails through the AOL "facility."

The court held that in cases with similar facts, some courts have denied a summary judgment motion while others have used these facts to grant the plaintiff's motion. Therefore, the court reversed the entry of summary judgment.

Read More

Maryland district court addresses cell site location data, finds no Fourth Amendment issue

The Maryland federal district court recently held that obtaining cell site location data does not implicate the Fourth Amendment, and even if it did, obtaining such information without a warrant does not require suppression. (United States v. Graham, 2012 U.S. Dist. LEXIS 26954 (D. Md. 2012)). Of the two orders issued under the Stored Communications Act, one "authorized [221] days and 20,235 individual cell site location data points." 

The defendants "argue[d] that the privacy intrusions available through this type of technology are far reaching and unconstitutional - allowing the government to retroactively track or surveil a suspect through his cellular telephone, a device he likely carries with him at all hours of the day and to constitutionally protected places such as his home or church."

The government counters with four arguments: (1) defendants lack standing because the phones were registered in a fictitious name (read more about this issue here), (2) there is no expectation of privacy because the locations were "business records voluntarily conveyed to a third party," (3) the SCA requires a lower standard than probable cause, and (4) even if the defendants' Fourth Amendment rights were violated, suppression is not required.

With regard to standing, the court held, "[T]he real issue is whether the Defendants have a legitimate expectation of privacy in their location data captured by their cellular service providers, and not whether they have a legal or possessory interest in the property." Next, the court addressed the concurring opinion in Jones and the mosaic theory in Maynard, but ultimately found that "unless and until the Supreme Court affirmatively revisits the third-party doctrine, the law is that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties." Also, even if the data was able to reveal when an individual is at home, that is obtainable by pen register under Smith v. Maryland.

Thus, the court held that the defendants did have standing despite the fictitious name, but there was no violation of the Fourth Amendment. Also, even if there was a violation, the good faith rule applies due to reliance on the SCA, and suppression is not necessary.

Read More

Pa. court discusses whether defendant has standing in another's e-mail account

In Commonwealth v. Hoppert, 39 A.3d 358 (Pa. Super. Ct. 2012), a Pennsylvania appellate court examined whether probable cause existed to obtain defendant's e-mails when the account had been closed three months earlier. The defendant argued the e-mails were stale, but the court found that "the information sought was not easily disposable and there was a fair probability that AOL had retained it."

Footnoted in the case was a discussion of whether the defendant had a reasonable expectation of privacy in the e-mail account which was in another person's name. The court compared it to a prior case determining that the defendant did not have a reasonable expectation of privacy in phone records from his girlfriend's cell phone. That case cited another which found that a defendant had no expectation of privacy in phone bills in his wife's name. The court didn't actually address standing but simply wanted to flag it for future reference.

This raises an interesting issue - proving ownership of Internet accounts can be a difficult task (in this case, however, it was an AOL e-mail account, making it a slightly clearer case). A person who creates an e-mail account under an alias could have ownership of that account. Many couples now create joint Facebook accounts (such as Jack-n-Jill Smith). The free aspect of many accounts presents another issue - how do you show it is yours and not just something you are using? Hoppert was using someone else's e-mail account, but did the e-mails belong to him because he wrote them, or were they property of the person whose name the account was in? Can we have e-mail accounts with joint property interests when e-mail providers only allow one name on the account?

Another issue with the court's discussion is whether it was proper to analogize e-mails with phone records as e-mails are not "records" (see content versus records distinction in 18 USCS § 2702). It's well-accepted that no expectation of privacy exists in phone and e-mail records (telephone numbers dialed or e-mail routing information). However, the actual content of those phone calls or e-mails may be a different story (certainly with phone calls and e-mails vary by jurisdiction). Thus, an absence of a reasonable expectation of privacy in records does not necessarily mean the same for content.

Read More

Missouri appellate court finds reasonable expectation of privacy in text messages, adopts Warshak

The Missouri Court of Appeals has adopted the reasoning of the Sixth Circuit in Warshak, finding a reasonable expectation of privacy in text messages held by a third party. State v. Clampitt, 2011 Mo. App. LEXIS 1741 (Mo. Ct. App. 2012).

The defendant, James Clampitt was charged with involuntary manslaughter after a car accident. Investigators used subpoenas (apparently under a state statute as opposed to the SCA) to obtain his text messages and phone records beginning with the date of the accident and for a few weeks thereafter, hoping to find an admission. The prosecutor did not seek a search warrant because they felt "the text messages 'were records that were in possession of a third party,'" and it was therefore unnecessary. The trial court suppressed the evidence, and the state appealed.

The appellate court first looked at whether the Fourth Amendment is relevant, asking whether or not there is a reasonable expectation of privacy in text messages. They look to Quon (130 S. Ct. 2619 (2010)), and while acknowledging that it dealt with employers/employees, they interpreted the case to mean that the Supreme Court "strongly suggested ... the public would have a reasonable expectation of privacy in ... text message[s]."

Next, the court then cited six opinions where "courts have found that individuals have a reasonable expectation of privacy in their cell phones and the information stored therein, including text messages." None of these cases, however, find Fourth Amendment protection for text messages stored by a third party, but rather for the actual physical cell phone and its contents. Investigators could likely have obtained the text messages in each case directly from the phone company without regard to the Fourth Amendment's protections.

The court then turns to Warshak (631 F.3d 266 (6th Cir. 2010)), which involved law enforcement obtaining the defendant's email without a search warrant. Ultimately, the Sixth Circuit found that a reasonable expectation of privacy existed in the e-mails even if they are stored with a third party and declared part of the Stored Communications Act unconstitutional. The Clampitt court found Warshak to be rather persuasive.

Ultimately, the Missouri Court of Appeals found that people have a reasonable expectation of privacy in text messages. "[A]s text messaging becomes an ever-increasing substitute for the more traditional forms of communication, it follows that society expects the contents of text messages to receive the same Fourth Amendment protections afforded to letters and phone calls." Further, the court found the search to be unreasonable and that good faith did not exist in obtaining the records.

In Warshak, the court determined that good faith existed because investigators relied on the Stored Communications Act, which traditionally allows e-mails and similar content to be obtained. In Clampitt, however, the state did not argue good faith reliance on the SCA so the court did not address it. Also, the good faith exception is only applicable to police officers, but here, it was the prosecutor who improperly obtained the messages.

SIDE NOTE: Our courts have traditionally held that there is no expectation of privacy in information held by a third party (See, e.g. United States v. Miller, 425 U.S. 435 (1976)). In the recent SCOTUS opinion in Jones (prior post here), Justice Sotomayor suggested a willingness to rethink that notion.

Read More

Tracking computer usage, free credit monitoring, and digital forensics guides from corporations

I have collected several random stories recently that do not deserve their own post alone, but that I thought should be shared.

• From Lifehacker, this post shows you how to see if someone has been using your computer when you were not around. Using the Windows Event Viewer, users can see system logs detailing each time the computer boots or wakes from sleep or hibernation.
• This isn't an endorsement nor do I really know much about this service, but Lifehacker did an article about Credit Karma, a credit monitoring service that notifies you of changes via e-mail. The service once restricted its number of users, but it is now free to anyone who registers. WSJ, NYT, CNN, and others have also recommended the service.
• SANS's Computer Forensics website provides links to corporate handbooks for digital forensics investigators from companies like Microsoft, eBay, MySpace, and more. Some of the information is outdated, but it may give you an idea as to what is required and who to contact.

Read More

Ninth Circuit finds standing to challenge government's alleged communications dragnet

In a lawsuit alleging "widespread warrantless eavesdropping" in violation of the Foreign Intelligence Surveillance Act, the Electronic Communications Privacy Act, and the Stored Communications Act, the Ninth Circuit has reversed and remanded the lower court dismissal on standing grounds. Jewel v. NSA, 673 F.3d 902 (2011).

The suit, backed by the Electronic Frontier Foundation, alleged "that the government[] operated a "dragnet collection" of communications records by 'continuously soliciting and obtaining the disclosure of all information in AT&T's major databases.'" The district court dismissed the compliant, finding that Jewel's complaint failed by not "specifically linking any of the plaintiffs to the alleged surveillance activities."

Of course, the issue is whether Jewel could demonstrate a "sufficiently concrete and specific injury" in order to have standing. The court found that the complaint "described in detail the ... equipment used ... at the particular AT&T facility" and that she "alleged with particularity that her communications were part of the dragnet."

RELATED CASE: The Ninth Circuit also decided, in a separate opinion, that § 802 of the Foreign Intelligence Surveillance Act, which immunizes telecommunications companies from cooperating with the government's investigations, is constitutional. In re NSA Telcoms. Records Litig., 2011 U.S. App. LEXIS 25949 (2011).

Read More

Va. court sanctions attorney for frivolous SCA claim

A Virginia circuit court recently denied a claim under the Stored Communications Act where plaintiff alleged an SCA violation regarding Facebook accounts where the information was publicly accessed. Womack v. Yeoman, 2011 Va. Cir. LEXIS 143.

The case concerned plaintiff's injuries sustained from a vehicle accident. The defense counsel used MySpace and Facebook to research the plaintiff and her family to learn more about the damages, looking over various postings. The plaintiff's counsel did not perform similar research but was assured the profiles were private (the court found this to be an unreasonably sufficient inquiry).

Plaintiff's counsel accused the defense of engaging in "unethical and illegal conduct by 'hacking' into" the accounts and that the act "violate[d] Plaintiff's and her families (sic) right to privacy under the [SCA]." The court found that all information obtained by the defense was publicly available and no violation of the SCA had occurred. Further, the defense was awarded attorneys' fees as sanctions for the claim.

But consider this: what settings are required to make something "private?" Here's a depiction of nearly every level to which access to one's Facebook information can be restricted:

To the left, you have the group of people that will be unavailable to access postings because they have neither Internet access or a Facebook account. Since both are required to access the majority of FB data, does this make it such an exclusive group that it is not public? Obviously not. But suppose the defense attorney was a "friend of a friend" of the plaintiff, and the settings then allowed him to obtain her postings. The plaintiff had not specifically approved the lawyer, but their relation gave him access. Or taking it to the extreme, is "private" only the information which the user shares with no one other than themselves? Possibly.

Read More