Significant Developments in Law Enforcement Access Issues for Company Counsel

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Law Enforcement Access

The future development of rules and law involving law enforcement's access to electronic information will require an ongoing commitment by law enforcement, legislators and the courts to carefully balance privacy protections with legitimate needs for access, and require companies to consider how emerging technologies in their field fit within this changing legal framework, the authors write.

Kendall Burman Greg  Deis Laura Hammargren

By Kendall Burman, Greg Deis and Laura Hammargren

Kendall Burman is a cybersecurity and data privacy counsel at Mayer Brown LLP in Washington. Prior to joining Mayer Brown, Burman served in the administration of President Barack Obama, most recently as deputy general counsel for the U.S. Department of Commerce.

Greg Deis is a partner at Mayer Brown in Washington where he represents clients in the U.S. Department of Justice, Securities and Exchange Commission and other criminal regulatory investigations. Prior to joining Mayer Brown, Deis was a federal prosecutor.

Laura Hammargren is a partner at Mayer Brown in Chicago and is a member of the firm's Cybersecurity & Data Privacy Group.

On Oct. 14, the U.S. Department of Justice (DOJ) petitioned the U.S. Court of Appeals for the Second Circuit for rehearing en banc in its dispute with Microsoft Inc. over whether a U.S. court can issue a search warrant for e-mail content stored by Microsoft on its servers in Ireland. Technology companies have closely watched the Microsoft Ireland case because the dispute focuses on whether there are geographical constraints on U.S. law enforcement's access to data stored by service providers outside the U.S. The Second Circuit held that there are, finding that the Stored Communications Act (SCA), 18 U.S.C. § 2703, does not extend outside the borders of the U.S. This question is significant for U.S. companies that store data on servers located abroad, whether through cloud-based services or otherwise.

In addition to the Microsoft Ireland case, there have been other significant developments during 2016 regarding law enforcement's access to electronically-stored data, including high-profile litigation between the DOJ and Apple Inc. regarding encryption on iPhone devices. In addition, the DOJ has proposed legislation that would make it easier for U.S. law enforcement to obtain data located overseas, although the legislation would afford foreign governments the reciprocal right to obtain content stored in the U.S. Finally, amendments to the Federal Rules of Criminal Procedure that went into effect Dec. 1, have also prompted speculation about the consequences of expanding law enforcement's ability to obtain a search warrant when suspects utilize multiple computers or mask the location of their computer in perpetrating crimes.

Microsoft Ireland Case

In July, the U.S. Court of Appeals for the Second Circuit quashed a search warrant that required Microsoft to produce the content of a customer's e-mails stored on a server located in Ireland. Matter of Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation , 829 F.3d 197 (2d Cir. 2016). The Court held that execution of the warrant would constitute an unlawful extraterritorial application of the SCA.

In reaching this conclusion, the Second Circuit focused on whether Congress intended the SCA to apply extraterritorially. In considering this question, the court noted that Congress passed the SCA in 1986 when “Congress had as reference a technological context very different from today's Internet-saturated reality.” Id. at 205-06. Based on this context, along with the SCA's structure and language, the Second Circuit found no evidence of Congressional intent to apply the SCA to data located outside the U.S.

In seeking to uphold the SCA warrant, the DOJ argued that the court should look at the law relating to subpoenas—where courts routinely compel U.S. companies to produce documents located overseas, provided the documents are within the U.S. company's custody and control. The Second Circuit rejected this comparison, reasoning that warrants and subpoenas have long been considered distinct legal instruments—a distinction expressly recognized in the SCA where Congress provided warrants with a greater level of protection as compared to subpoenas.

The Second Circuit also dismissed the DOJ's argument that the activity at issue was not extraterritorial. The DOJ's argument was based on the fact that a Microsoft employee located in the U.S. could access the requested content stored in Ireland through Microsoft's database management program. The Second Circuit focused on the physical location of the data—Ireland—as opposed to the electronic point of access (the U.S.).

The court was also not moved by the DOJ's arguments that not permitting the SCA to apply outside the U.S. would place a “substantial” burden on the government and “seriously impede” law enforcement efforts, insofar as the Second Circuit's decision would force the government to proceed through the Mutual Legal Assistance Treaty (MLAT) process—which the lower court had noted can be quite burdensome. The Second Circuit reasoned that such practical considerations could not outweigh Congress's intent that the SCA not apply extraterritorially.

In a concurring opinion, Judge Lynch minimized the impact of the majority's conclusion on individual privacy interests—noting that a federal magistrate judge had concluded that there was probable cause to review the content of the individual's e-mails, consistent with the requirements of the Fourth Amendment. As Judge Lynch saw it, “the dispute here is not about privacy, but rather about the international reach of American law.” Id. at 225.

Judge Lynch also stressed his view that the DOJ had a legitimate need for data stored overseas to investigate crimes centered in the U.S. Judge Lynch noted that Microsoft relies solely on customer-provided information regarding location/residency in determining the storage servers to use in providing service to the customer. In the case before it, the nationality of the customer was unknown—a fact that would have been relevant to Judge Lynch. Judge Lynch reasoned there was a difference between the U.S. government's pursuit of the “emails of an Irish national, stored in Ireland, from an American company which had marketed its services to Irish customers in Ireland”—which, in his view, would raise comity concerns—and the government's pursuit of e-mails of a U.S. resident, accessible in the U.S. by Microsoft “at the push of a button…which are stored on a server in Ireland only as a result of the American customer's misrepresenting his or her residence, for the purpose of facilitating domestic violations of American law.” Id. at 230. Judge Lynch noted that there was no evidence (and, indeed, it was implausible given the technological landscape in 1986) that Congress weighed these concerns, but encouraged it to do so given the evolutions in technology over the past 30 years. Without urging that Congress adopt the government's interpretation into the SCA, Judge Lynch simply noted that Congress should “weigh[] the costs and benefits of authorizing court orders of the sort at issue in this case.” Id. at 231.

Congress will have the opportunity to do so based on legislation proposed by the DOJ. Under the proposed legislation, U.S. investigators could seek data located overseas, provided the U.S. government has entered into a reciprocal agreement with the country in which the data is located and the agreement meets certain statutory requirements. These agreements would be reciprocal and permit foreign governments to go directly to U.S. service providers for content located in the U.S. to investigate with certain limitations, including: (1) this means of process can only be used in support of criminal investigations where a non-U.S. person is the target; (2) the target is reasonably believed to be located abroad; and (3) U.S. service providers may challenge in U.S. court any request received from a foreign government. The legislation would prohibit the U.S. from entering into such agreements with a foreign government unless the country “affords robust substantive and procedural protection for privacy and civil liberties.” See id. at pg. 12.

While this legislation is pending, the Microsoft litigation continues. On October 14, 2016, the DOJ filed its petition for rehearing with the Second Circuit, arguing that the three-judge panel erroneously engaged in an extraterritoriality analysis. In the DOJ's view, “If the conduct relevant to the statute's focus occurred in the United States, then the case involves a permissible domestic application even if other conduct occurred abroad.” The DOJ argues that the focus of the SCA is on disclosure of information, not privacy, and this disclosure will occur to law enforcement located in the United States. U.S. Senator Orrin Hatch has articulated the opposing viewpoint: “Federal judges have rightly concluded that current law does not provide U.S. law enforcement with authority to access data stored overseas. Ultimately, Congress—rather than the courts—should establish a legal standard for accessing extraterritorial communications.”

DOJ's Litigation With Apple Regarding iPhone Encryption

In addition to the Microsoft case, the DOJ was also involved in high-profile litigation with Apple. In February, a magistrate judge in the Eastern District of New York denied the DOJ's request for an order requiring Apple to bypass the passcode security on an Apple device. In re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by this Court , 149 F. Supp.3d 341 (E.D.N.Y. 2016). The case arose from an iPhone 5 that DEA agents had seized as part of a drug investigation, pursuant to a lawful search warrant for the residence of Jun Feng.

The government attempted to access the device but was unable to bypass the iPhone's passcode security and sought Apple's technical assistance. Apple informed the government that it could and would unlock the iPhone 5—but only if a court issued an order requiring Apple to assist the government. See id. at 346. The government made its request pursuant to the All Writs Act, 28 U.S.C. §1651(a) (AWA). In its application, the government made several factual assertions, including the following: (1) agents are unable to search the iPhone 5 because the device is locked; (2) examining the iPhone 5 without Apple's assistance—if it is possible at all—would require significant resources and could harm the device; and (3) the requested order would not place an unreasonable burden on Apple.

Over the next few months, the DOJ and Apple submitted numerous filings, focused on, among other issues, the scope of the AWA, the necessity of the DOJ's request and the burden on Apple in complying with the DOJ's requested order. Focusing first on the AWA, the court noted the “AWA's overall function as a ‘gap filler.’” Id. at 353. Specifically, the court found that the AWA is meant to supply the courts with the instruments needed to perform their duties, but that there are limitations on its scope, including where Congress has considered legislation in a particular area but declined to adopt it.

The court then turned to the Communications Assistance for Law Enforcement Act (CALEA). 47 U.S.C. §§1001-1010. The court concluded that CALEA could be interpreted as “explicitly absolv[ing] a company like Apple of any responsibility to provide the assistance the government seeks here,” but, “even if CALEA does not have such an explicit prohibition, it is part of a larger legislative scheme that is so comprehensive as to imply a prohibition against imposing requirements on private entities such as Apple that the statute does not affirmatively prescribe.” Id. at 354.

The court went on to find that, even if the AWA permitted the requested relief, the DOJ's requested order should be denied under the discretionary factors set forth in the Supreme Court's decision in United States v. New York Tel. Co., 434 U.S. 159 (1977). The court's conclusion was based on the following: (1) Apple had no connection to Feng's criminal activity or the government's investigation; (2) the request would impose an unreasonable burden on Apple; and (3) the government failed to establish the necessity of the requested relief.

In discussing necessity, the court noted that an agent from the Department of Homeland Security (DHS) had testified in an unrelated case that agents could use “IP-Box” technology to access an iPhone 5 operating on the iOS 8.1.2 operating system—a system more difficult to bypass as compared to the iOS7 software on Feng's iPhone. When confronted with this evidence—which the court noted undercut the government's prior representation that it was not possible to bypass the iPhone's passcode security without Apple's assistance—the DOJ retreated to a middle-ground position, stating that the use of third-party technology presented a “non-trivial risk of data destruction.” Id. at 374. The court rejected the government's argument, finding that it had failed to satisfy its burden of showing necessity.

Companies reading the Apple opinion should, in particular, focus on the factors the court noted in finding that the government's request would impose an unreasonable burden on Apple, which included: (1) the number of other DOJ requests for Apple's assistance; (2) the negative impact on the market's perception of Apple and its protection of customer's personal data; (3) the assistance sought by the government was not something Apple would do in the ordinary course of business and Apple had never voluntarily offered the government the type of assistance requested; and (4) providing the requested assistance would divert resources from Apple's normal business operations.

At the end of its opinion—consistent with Judge Lynch's concurrence in Microsoft—the court stressed the need for Congress to consider the arguments and policy considerations presented by the government and Apple:

How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago. But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive. It would betray our constitutional heritage and our people's claim to democratic governance for a judge to pretend that our Founders already had that debate, and ended it, in 1789. Id. at 374.

Ultimately, the New York litigation became moot when the government was able to bypass the device's security code with the assistance of a third-party consultant. But commentators expect more litigation on the encryption front, particularly as encryption technology continues to advance. As the New York Times noted, “[w]ith the F.B.I. still pushing to open other locked phones, Apple's backers are preparing for a long fight.” Following the litigation in New York, legislation was proposed in the U.S. Senate that would require companies to provide assistance to law enforcement or provide decrypted data, but that legislation did not move forward this year.

Revisions to Federal Rule of Criminal Procedure 41

On Dec. 1, amendments to Federal Rule of Criminal Procedure 41 went into effect, which would give courts authority to issue more expansive search warrants for investigators to remotely access and retrieve data.

Rule 41 details the geographic limits on all federal judges in issuing search warrants, and prohibits a judge from approving a warrant when the target of the search is located outside of his or her district, with limited exceptions. The amendments allow a judge to approve out-of-district remote access computer search warrants in two circumstances: (1) when a suspect has hidden their online location and identity using technical means; and (2) where the crime involves criminals hacking computers located in five or more different judicial districts. Although DOJ's position, as stated in a June 20 statement, is that these are narrow circumstances that do not authorize any search that is not already lawfully permitted, others have expressed concerns that these amendments broaden investigators' ability to do remote searching in ways that infringe on privacy rights.

As to the first circumstance, DOJ maintains that this is necessary because technology is making it increasingly common for suspects to shield their identity and the location of their computers, preventing law enforcement from knowing the location of the computer (and, thus, the proper U.S. district in which to seek a search warrant). DOJ notes that while warrants are often issued under the current Rule 41 in these circumstances, there is inconsistent jurisprudence as to whether evidence obtained under these warrants should be allowed or suppressed under the current version of the rule.

Critics of the amendment are concerned that it removes geographic limits for remote electronic searches, including in places where U.S. law enforcement generally does not have the ability to obtain an execute a search warrant ( e.g., outside the U.S.). Commentators have also expressed concern that the amendment too broadly applies to privacy-protection tools that may mask the location of users for legitimate reasons, such as people using a virtual privacy network (VPN) application to prevent potential unauthorized access on unfamiliar networks or denying access to location data for smartphone apps in order to prevent location information from being broadly shared. It may also introduce forum shopping insofar as agents might have a broader choice of districts in which they could apply for search warrants, as under the new rule, a warrant can be sought in any district in which an element of the crime occurred. Agents could therefore seek out districts that are more inclined to approve broader warrant applications when anonymizing technology is at issue.

As to the second circumstance, in which a single judge can issue a warrant across districts where five or more districts are involved, DOJ's position is that most courts already permit the search of multiple computers pursuant to a single warrant where necessary legal requirements are met, and that the amendment will ensure that federal agents can go to a single judge in a large hacking incident instead of submitting separate applications in each of the applicable districts, potentially up to 94 districts.

Those opposed to the amendment have expressed concerns that the amendment would permit multiple intrusions on victims' computers/devices, thereby increasing the potential damages that may accompany such intrusions. Not only will victims have been the victim of a criminal hack, but critics fear this will ease the way for government entities to do a large-scale remote search on the same devices for investigation purposes. The concern is that multiple intrusions can exacerbate the weaknesses of devices.

Now that the amendments have gone into effect, commentators are watching (to the extent information becomes publicly available) whether the amendments open the door to broad remote searching by government investigators, or whether the other legal requirements in obtaining search warrants will keep such access narrowly tailored.

Conclusion

Evolving jurisprudence, proposed legislation and other potential initiatives involving law enforcement's access to electronic information will continue to develop in an effort to keep pace with the constantly evolving technological landscape. The future development of these rules and law will require an ongoing commitment by law enforcement, legislators and the courts to carefully balance privacy protections with legitimate needs for access, and require companies to consider how emerging technologies in their field fit within this changing legal framework.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security