What the Stored Communications Act would look like after Rep. Lofgren's ECPA reform bill (H.R. 983)

I wrote previously about Rep. Lofgren (and others) proposing a modification to the Stored Communications Act (SCA) as well as an addition to the ECPA regarding disclosure of geolocation information; that post can be found, here: Quick details on H.R. 983, the ECPA reform bill announced today.

I decided to update the relevant portions of the SCA (18 U.S.C. 2701-2705) with the modifications in H.R. 983. You can see the bill and my markup, below (original from Cornell's LII):

18 USC § 2701 - Unlawful access to stored communications

(a) Offense.— Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

(b) Punishment.— The punishment for an offense under subsection (a) of this section is—

(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State—

(A) a fine under this title or imprisonment for not more than 5 years, or both, in the case of a first offense under this subparagraph; and

(B) a fine under this title or imprisonment for not more than 10 years, or both, for any subsequent offense under this subparagraph; and

(2) in any other case—

(A) a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under this subparagraph that occurs after a conviction of another offense under this section.

(c) Exceptions.— Subsection (a) of this section does not apply with respect to conduct authorized—

(1) by the person or entity providing a wire or electronic communications service;

(2) by a user of that service with respect to a communication of or intended for that user; or

(3) in section 2703, 2704 or 2518 of this title.

18 USC § 2702 - Voluntary disclosure of customer communications or records

(a) Prohibitions.— Except as provided in subsection (b) or (c)—

(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and

(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and

(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge to any governmental entity the contents of communication covered by subsection (a) of section 2703 or any a record or other information pertaining to a subscriber to or customer or user of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

(b) Exceptions for disclosure of communications.— A provider described in subsection (a) may divulge the contents of a communication—

(1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient;

(2) as otherwise authorized in section 2517, 2511 (2)(a), or 2703 of this title;

(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service;

(4) to a person employed or authorized or whose facilities are used to forward such communication to its destination;

(5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(6) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A;

(7) to a law enforcement agency—

(A) if the contents—

(i) were inadvertently obtained by the service provider; and

(ii) appear to pertain to the commission of a crime; or

[(B) Repealed. Pub. L. 108–21, title V, § 508(b)(1)(A),Apr. 30, 2003, 117 Stat. 684]

(8) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.

(c) Exceptions for Disclosure of Customer Records.— A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2))—

(1) as otherwise authorized in section 2703;

(2) with the lawful consent of the customer or subscriber;

(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;

(5) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A; or

(6) to any person other than a governmental entity.

(d) Reporting of Emergency Disclosures.— On an annual basis, the Attorney General shall submit to the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate a report containing—

(1) the number of accounts from which the Department of Justice has received voluntary disclosures under subsection (b)(8); and

(2) a summary of the basis for disclosure in those instances where—

(A) voluntary disclosures under subsection (b)(8) were made to the Department of Justice; and

(B) the investigation pertaining to those disclosures was closed without the filing of criminal charges.

18 USC § 2703 - Required disclosure of customer communications or records

(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, that is stored, held, or maintained by that service, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. Within three days after a governmental entity receives such contents from a service provider pursuant to this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail, or other means reasonably calculated to be effective as specified by the court issuing the warrant to the subscriber, customer, or user a copy of the warrant and a notice that includes the information referenced in section 2705(a)(4)(A) and (B)(i), except that delayed notice may be provided, pursuant to section 2705 of this title. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

(b) Contents of Wire or Electronic Communications in a Remote Computing Service.—

(1) A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection—

(A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction; or

(B) with prior notice from the governmental entity to the subscriber or customer if the governmental entity—

(i) uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or

(ii) obtains a court order for such disclosure under subsection (d) of this section;

except that delayed notice may be given pursuant to section 2705 of this title.

(2) Paragraph (1) is applicable with respect to any wire or electronic communication that is held or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.

(c) Records Concerning Electronic Communication Service or Remote Computing Service.—

(1) A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity—

(A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction;

(B) obtains a court order for such disclosure under subsection (d) of this section;

(C) has the consent of the subscriber or customer to such disclosure;

(D) submits a formal written request relevant to a law enforcement investigation concerning telemarketing fraud for the name, address, and place of business of a subscriber or customer of such provider, which subscriber or customer is engaged in telemarketing (as such term is defined in section 2325 of this title); or

(E) seeks information under paragraph (2).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the—

(A) name;

(B) address;

(C) local and long distance telephone connection records, or records of session times and durations;

(D) length of service (including start date) and types of service utilized;

(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

(F) means and source of payment for such service (including any credit card or bank account number),

of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

(3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.

(d) Requirements for Court Order.— A court order for disclosure under subsection (b) or (c) may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. In the case of a State governmental authority, such a court order shall not issue if prohibited by the law of such State. A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.

(e) No Cause of Action Against a Provider Disclosing Information Under This Chapter.— No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter.

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

(g) Presence of Officer Not Required.— Notwithstanding section 3105 of this title, the presence of an officer shall not be required for service or execution of a search warrant issued in accordance with this chapter requiring disclosure by a provider of electronic communications service or remote computing service of the contents of communications or records or other information pertaining to a subscriber to or customer of such service.

18 USC § 2704 - Backup preservation

(a) Backup Preservation.—

(1) A governmental entity acting under section 2703 (b)(2) may include in its subpoena or court order a requirement that the service provider to whom the request is directed create a backup copy of the contents of the electronic communications sought in order to preserve those communications. Without notifying the subscriber or customer of such subpoena or court order, such service provider shall create such backup copy as soon as practicable consistent with its regular business practices and shall confirm to the governmental entity that such backup copy has been made. Such backup copy shall be created within two business days after receipt by the service provider of the subpoena or court order.

(2) Notice to the subscriber or customer shall be made by the governmental entity within three days after receipt of such confirmation, unless such notice is delayed pursuant to section 2705 (a).

(3) The service provider shall not destroy such backup copy until the later of—

(A) the delivery of the information; or

(B) the resolution of any proceedings (including appeals of any proceeding) concerning the government’s subpoena or court order.

(4) The service provider shall release such backup copy to the requesting governmental entity no sooner than fourteen days after the governmental entity’s notice to the subscriber or customer if such service provider—

(A) has not received notice from the subscriber or customer that the subscriber or customer has challenged the governmental entity’s request; and

(B) has not initiated proceedings to challenge the request of the governmental entity.

(5) A governmental entity may seek to require the creation of a backup copy under subsection (a)(1) of this section if in its sole discretion such entity determines that there is reason to believe that notification under section 2703 of this title of the existence of the subpoena or court order may result in destruction of or tampering with evidence. This determination is not subject to challenge by the subscriber or customer or service provider.

(b) Customer Challenges.—

(1) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (a)(2) of this section, such subscriber or customer may file a motion to quash such subpoena or vacate such court order, with copies served upon the governmental entity and with written notice of such challenge to the service provider. A motion to vacate a court order shall be filed in the court which issued such order. A motion to quash a subpoena shall be filed in the appropriate United States district court or State court. Such motion or application shall contain an affidavit or sworn statement—

(A) stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications maintained for him have been sought; and

(B) stating the applicant’s reasons for believing that the records sought are not relevant to a legitimate law enforcement inquiry or that there has not been substantial compliance with the provisions of this chapter in some other respect.

(2) Service shall be made under this section upon a governmental entity by delivering or mailing by registered or certified mail a copy of the papers to the person, office, or department specified in the notice which the customer has received pursuant to this chapter. For the purposes of this section, the term “delivery” has the meaning given that term in the Federal Rules of Civil Procedure.

(3) If the court finds that the customer has complied with paragraphs (1) and (2) of this subsection, the court shall order the governmental entity to file a sworn response, which may be filed in camera if the governmental entity includes in its response the reasons which make in camera review appropriate. If the court is unable to determine the motion or application on the basis of the parties’ initial allegations and response, the court may conduct such additional proceedings as it deems appropriate. All such proceedings shall be completed and the motion or application decided as soon as practicable after the filing of the governmental entity’s response.

(4) If the court finds that the applicant is not the subscriber or customer for whom the communications sought by the governmental entity are maintained, or that there is a reason to believe that the law enforcement inquiry is legitimate and that the communications sought are relevant to that inquiry, it shall deny the motion or application and order such process enforced. If the court finds that the applicant is the subscriber or customer for whom the communications sought by the governmental entity are maintained, and that there is not a reason to believe that the communications sought are relevant to a legitimate law enforcement inquiry, or that there has not been substantial compliance with the provisions of this chapter, it shall order the process quashed.

(5) A court order denying a motion or application under this section shall not be deemed a final order and no interlocutory appeal may be taken therefrom by the customer.

18 USC § 2705 - Delayed notice

(a) Delay of Notification.—

(1) A governmental entity acting under section 2703 (b) 2703(a) of this title may—

(A) where a court order warrant is sought, include in the application a request, which the court shall grant, for an order delaying the notification required under section 2703(b) 2703(a) of this title for a period not to exceed ninety days, if the court determines that there is reason to believe that notification of the existence of the court order warrant may have an adverse result described in paragraph (2) of this subsection; or

(B) where an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena is obtained, delay the notification required under section 2703 (b) of this title for a period not to exceed ninety days upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result described in paragraph (2) of this subsection.

(2) An adverse result for the purposes of paragraph (1) of this subsection is—

(A) endangering the life or physical safety of an individual;

(B) flight from prosecution;

(C) destruction of or tampering with evidence;

(D) intimidation of potential witnesses; or

(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

(3) The governmental entity shall maintain a true copy of certification under paragraph (1)(B).

(4) Extensions of the delay of notification provided in section 2703 of up to ninety days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.

(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail or other means reasonably calculated to be effective as specified by the court issuing the warrant to, the customer or subscriber a copy of the process or request warrant together with notice that—

(A) states with reasonable specificity the nature of the law enforcement inquiry; and

(B) informs such customer or subscriber—

(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;

(ii) that notification of such customer or subscriber was delayed;

(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and

(iv) which provision of this chapter allowed such delay.

(6) As used in this subsection, the term “supervisory official” means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency’s headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney’s headquarters or regional office.

(b) Preclusion of Notice to Subject of Governmental Access.— A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703 (b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in—

(1) endangering the life or physical safety of an individual;

(2) flight from prosecution;

(3) destruction of or tampering with evidence;

(4) intimidation of potential witnesses; or

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Read More

Vermont Supreme Court upholds search warrant conditions requiring screening in computer search

The Vermont Supreme Court has held that a judge may attach ex ante conditions to a search warrant in an attempt to protect privacy of those searched. The judge issuing the warrant had specified that a search of electronic devices had to be conducted through a third party and restricted evidence of crimes unrelated to the specified crime of identity theft from being shared with investigators. The court did, however, strike down a condition prohibiting the use of the plain view doctrine. In re Application for Search Warrant (2010-479), 2012 VT 102.

An IP address obtained during an identity theft investigation led police to a Vermont address. The resident had set up an unsecured wireless network, and after the resident gave law enforcement permission to access it, the officer determined that a neighbor had accessed the network several times over the previous month. An application was made to search the address, and it was noted that several people lived at the address. The judge granted the search, but placed several restrictions on it including one forbidding police form relying on the plain view doctrine and another requiring a third party to perform a search of computers and forbidding them from sharing evidence of other crimes with investigators or prosecutors. The state filed a motion with the Vermont Supreme Court to have the restrictions removed.

The court held that the plain view doctrine restriction was inappropriate. The later requirements related to the sharing of other evidence removed the need for the provision. But further, "it is beyond the authority of a judicial officer issuing a warrant to abrogate a legal doctrine in this way."

With regard to the requirement of a third party to search the computers and withhold evidence of other crimes from investigators, the court upheld the restriction, finding that the broad search request coupled with "a legitimate privacy interest" allows a judge to provide "instructions on how a search will be conducted."

The court also upheld limitations on techniques of the search as well as instructions concerning "the copying, return, and destruction" of the property acquired in the search.

A concurring and dissenting opinion by Justice Burgess argued that the use of a third party to screen the evidence "does not protect actual privilege or privacy, does not further a Fourth Amendment privacy interest, and does not lend further particularity to the search."

Read Professor Kerr's analysis of the decision here and his 2010 article on the issue here.

Read More

District court case provides road-map for what not to do under the Fourth Amendment

In Hatfield v. McDaniel, 2012 U.S. Dist. LEXIS (M.D. Ala. October 19, 2012), the court allowed the plaintiff's case alleging violations of section 1983 resulting from two illegal searches to proceed. The defendants were law enforcement officers and state/local entities that were party to the alleged Fourth Amendment violations.

This is the closest case I've ever seen of what not to do under the Fourth Amendment:
1.  Facially invalid searchwarrant - check
2.  Search of computer (pursuant to facially invalid search warrant), which was allowed within 10 days, executed 1 year later - check
3.  Failure to stop a search upon the owner's revocation of consent - check

Hatfield owned a car stereo store which occasionally accepted trade-in merchandise. He was careful, however, not to accept stolen goods. When a car stereo was brought in that he believed was stolen, he refused to accept it, and an officer showed up shortly after to take custody of the stereo and arrest the individual trying to trade it in. At that time, Hatfield asked the officer to take a look at a rifle he had received as a trade-in, because he was unsure if that was stolen, too. It turns out that it was.

The officers decided, based on the stolen merchandise they had found so far, that it would be prudent to go through all of Hatfield's inventory to check for other stolen merchandise. Hatfield agreed. The officers began the search, and a little while later, a drug dog showed up (his name was Hobbs - he was not a party to the action). At that point Hatfield removed consent for the search. The officers told him he could do it the hard way, or the easy way. Hatfield chose the hard way, which involved his arrest for the stolen rifle, and the police obtaining a warrant from a judge to continue to search. However, instead of waiting until the warrant arrived, there was evidence that the search continued at Hatfield's store. Error #1.

At some point during the search, Hatfield's girlfriend told officers there was child pornography on his computer. They drafted a facially invalid warrant, based on only her statement and no other evidence - they did not even include in the warrant a statement regarding her veracity or the basis for her claim. Error #2.

They then executed the facially invalid search warrant for Hatfield's computer, and seized it. The warrant gave the police 10 days to do so. Then, 1 year later, they actually searched the computer and found child pornography. (In my opinion, Error #3 - the court held otherwise).

Prior to trial, Hatfield moved to suppress all of the evidence obtained after he revoked consent, and the court granted the motion. This included the seizure of the computer. So, all charges were dropped. Hatfield then sued the police, the city, and individual officers for Section 1983 violations related to the search. The defendants moved for summary judgment, arguing qualified immunity applied. However, the court disagreed.

As to the search after consent was revoked, the court cited Arizona v. Hicks as controlling, and stated the following:

The controlling precedent, then, shows that an officer moving a box in Powerhouse Audio, even if only a few inches, and then inspecting it constituted a search (even if that search revealed nothing of great value). Accordingly, on summary judgment, Lieutenant McDaniel and Officer Furlong, who allegedly participated in that warrantless search, are not entitled to invoke the defense of qualified immunity as a shield to Mr. Hatfield's Fourth Amendment claim against them. (emphasis added)

The court then went on to analyze the search/seizure of the computer. Hatfield argued that the search warrant had not been executed within the defined term of 10 days, because the computer wasn't actually searched within that period. The court disagreed (which I think, personally, was erroneous). The court held that execution of the warrant occurred within 10 days because the seizure occured within 10 days. The court reached that conclusion as follows:

While it is undisputed that Sergeant Graves did not search the computer until nearly a year after the warrant was issued, it does not necessarily follow that the warrant was not executed within the ten-day limit. Although the term "execute" is undefined in § 15-5-12, usage of the term suggests a search warrant is executed when the described property is physically seized and taken into police custody. In the context of electronically stored information, that would mean the warrant is executed when the computer is seized, not when the files are accessed. 

With respect to the warrant to search the computer, the court held that it lacked even "a hint" of probable cause and was therefore facially invalid. The court explained:

. . . in light of controlling precedent, the affidavit fails to establish even probable cause to believe there would be pictures of children, pornographic or otherwise, on Mr. Hatfield's computer. The only fact supporting such a conclusion is the statement of an unidentified woman at the scene, because the affidavit did not reveal Ms. Neal's identity but only referred to her as "a person that was at the store." . . . It is well settled law that a statement from an anonymous source may establish probable cause for a search warrant, but only so long as "given all the circumstances set forth in the affidavit . . . , including the 'veracity' and 'basis of knowledge' of persons supplying hearsay information, there is a fair probability that contraband or evidence of a crime will be found in a particular place." Illinois v. Gates, 462 U.S. 213, 238, 103 S. Ct. 2317, 76 L. Ed. 2d 527 (1983). But here the only fact tending to establish probable cause is the anonymous statement, and there is absolutely nothing in the affidavit supporting the veracity or basis of knowledge of the woman who made it. . . .The statement here lacks even a conclusory assurance of reliability and credibility, so it could not have provided probable cause for a search warrant.

Moreover, the warrant was "so lacking in indicia of probable cause as to render official belief in its existence unreasonable." The court rejected a last ditch argument that the officer's conduct was based on the collective knowledge of law enforcement:

Even assuming Sergeant Graves had access to the collective knowledge of law enforcement, Mr. Hatfield's evidence shows his computer was searched pursuant to a facially void warrant. That conduct, if established at trial, constitutes a violation of clearly established law, and Sergeant Graves is therefore not entitled to invoke the defense of qualified immunity.

Total fail - check.

Read More