On October 7, 2014, Twitter, Inc. filed a lawsuit in the U.S. District Court for the Northern District of California seeking permission to publicly disclose details about legal requests from the U.S. government regarding its customers. Twitter, Inc. v. Holder,Case No. 14-cv-4480 (N.D. Ca. Oct. 7, 2014). Twitter is seeking declaratory relief in order to publish a Transparency Report detailing information regarding requests Twitter received for customer information related to national security and foreign intelligence.
With the advancement of digital technology, corporations and individuals alike have abandoned traditional forms of file retention in favor of digital retention which provides the ability to store exponentially more data (e.g., documents, pictures and electronic recordings) at a fraction of the cost. In addition, digital storage provides a more reliable and detailed source of information than ever previously available to investigators. Add to this the developing trend of businesses migrating from server/exchange storage to cloud storage and then Twitter’s lawsuit becomes infinitely more relevant. Various provisions of the Stored Communications Act (“SCA”) authorize the federal government to compel providers of electronic communication services (“Providers”), such as Twitter, Yahoo!, Google, Apple and Amazon, to disclose customer information ranging from name, address, length of service and source for payment of service (including credit card or bank account numbers) to actual content of communications—the date and time each email was sent, the destination and source addresses for each email and the size and length of each email.
Seemingly innocuous in the analysis of the statute is the danger to the actual owners of the data emanating from Sections 2705 and 2709 of the SCA. These two provisions allow the government to either delay or completely withhold notification to the end user/customer. Under Section 2705, the federal government can request an order from the court prohibiting the Provider from giving notice to its customer that it has received legal process (e.g., administrative subpoena, grand jury subpoena or warrant) for the customer’s account, many times based solely upon the government’s unchallenged assertion that notice to the customer would jeopardize an investigation or unduly delay trial. Moreover, and as highlighted by Twitter’s lawsuit, Section 2709 allows the FBI to prevent a Provider from disclosing that the FBI requested or obtained information on a customer’s account indefinitely upon the certification of the Director of the FBI that such disclosure would compromise national security or interfere with a criminal investigation.
As reflected in Twitter’s lawsuit and based on current government actions, it is more than probable that business information stored on a third-party cloud could be accessed by the Provider and disclosed to the federal government with the business finding out only when an indictment is issued and discovery of the government’s evidence is provided leading up to trial. In addition, recent government search warrant applications for the content of electronic communications make clear that the Provider may be required to copy and produce large portions, if not all, of a customer’s account with little or no limitation as to what is to be provided to the government. See In the Matter of the Search of Information Associated with [redacted]@mac.com That is Stored at Premises Controlled by Apple, Inc., Case No. 14-228 (D.D.C. Aug. 8, 2014) (holding a search warrant application requiring Apple to disclose all emails and records related to a specific account constitutional because it met the particularity requirement [by identifying a specific email account] and was supported by probable cause stating that fruits of the crime were likely to be found in the specific email account); see also In the Matter of a Warrant for All Content and Other Info. Associated with the Email Accountxxxxxxx@gmail.com Maintained at Premises Controlled by Google, Inc., No. 14 Mag. 309 (S.D.N.Y. July 18, 2014). Unfortunately, the courts have yet to strike a balance between the government’s investigative rights and a customer’s privacy rights. This is partly due to the sealed nature of search warrant applications which has led to a lack of reported opinions on Fourth Amendment standards for warrants seeking electronic communications. Moreover, the SCA itself virtually calls for this lack of direction since it only provides a method for customer challenges to the government’s search and seizure efforts after the customer has been notified—which, in most cases, will be after the government has already obtained and, likely, searched the electronic data.
The use of broadly worded search warrants to Providers also has another unintended side effect which could be problematic in the future. Per the Department of Justice’s manual on seizing electronic data, federal prosecutors are guided to seek warrants requiring Providers to disclose all emails and files to the government. Then, the government segregates data for which it has established probable cause, from the data not relevant to the government’s investigation. The information seized by the government (and supported by probable cause) is turned over to the investigative team. However, the disclosed information for which no probable cause exists, is still retained by the government indefinitely, and with the multiple exceptions to the requirement of a search warrant (e.g., plain view, inevitable discovery, etc.), there is a great risk that the government will take advantage of the windfall of electronic information for an unrelated prosecution. See United States v. Ganias, No. 12-240-cr, 2014 WL 2722618 (2nd Cir. June 17, 2014) (government contractor’s conviction for tax evasion on personal tax returns vacated because the tax evasion case was beyond the scope of the original warrant for a fraud investigation). As Ganias shows, absent a post-conviction appeal, it is reasonable to fear that prosecutors will review non-responsive evidence in the absence of court-imposed safeguards to prevent it.
Companies migrating to clouds, and particularly those with international offices, should pay special attention to the policies of their Provider in relation not only to reporting but also responding to service of legal process.