Posts Tagged ‘search warrant’

Hey feds, get off of my cloud (Followup)

Tuesday, May 17th, 2011

Last month, we posted on the senate hearings on whether the feds need to get a warrant before getting emails and other stuff stored in the cloud.  The Obama administration would rather let the feds continue to get such stuff without bothering to get a warrant, as they now can do under (very outdated) current law.  As we put it:

As the law currently stands, if an email is more than 180 days old, the feds are allowed to snag it without a warrant, under the 1986 Electronic Communications Privacy Act.  In yet another bit of Orwellian fractal weirdness, the ECPA was designed to ensure that online communications had just as much privacy protection as anything in the offline world.  (Given the erosion of Fourth Amendment protections in the brick-and-mortar world, a cynic might be tempted to crack that the ECPA has lived up to its expectations.)

And we quoted Sen. Patrick Leahy, who last year argued to drag law enforcement and the Fourth Amendment into the modern era:

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times.

Well, today Sen. Leahy proposed a new bill that might do just that.  The bill (pdf here) would get rid of that 180-day loophole, and require the feds to get a warrant no matter how old the email or data might be.

-=-=-=-=-

Obviously, we’re in favor of that.  But this bill goes farther than that.  If adopted, this bill would also:

  1. Prohibit cloud services from knowingly (more…)

Supremes Adopt and Define New “Police-Created Emergency” Doctrine

Monday, May 16th, 2011

Interesting Fourth Amendment decision from the Supreme Court this morning, in a case which at first glance didn’t seem all that cert-worthy.  The facts are as run-of-the-mill as they come — an undercover buy-and-bust, the dealer ran into a building, arrest team followed in just as one of the doors slammed shut but couldn’t tell which of 2 apartments the guy went into, from the hallway they smelled dank weed burning, the smell was stronger by the apartment on the left, the cops banged on the door and announced themselves, the cops heard stuff being moved around inside and figured it was evidence being destroyed, the cops burst in and found significant amounts of pot and cocaine.

The first time we read the facts in this case, we couldn’t help wondering “seriously, what’s the problem here?”  We’re well aware that the cops’ story might not be entirely truthful, but on the facts as given there just didn’t seem to be grounds for suppression.  The cops are allowed to pursue a suspect into the hallway of an apartment building (here it was a breezeway, arguably even less private).  The cops were entitled to bang on the door that smelled of burning marijuana.  There’s no Fourth Amendment prohibition against the police banging on your door and shouting “police police police.”  On hearing sounds consistent with destruction of evidence, it’s pretty well settled that an exigency now existed.  That’s one of the dozen or so exceptions where society’s interest in something (here, preservation of evidence) trumps the right against warrantless searches.  So seriously, what was the problem?

The problem was that the police arguably created the exigency themselves.  If they hadn’t banged on the door and announced their presence, there wouldn’t have been any evidence-destruction sounds.  Can the police manufacture an exception to the warrant requirement, one that would not have existed otherwise, and then rely on that exception to conduct a warrantless search?

Ah, now it gets interesting.

Writing for an 8-1 majority in Kentucky v. King, Justice Alito neatly described (more…)

Hey, feds, get off of my cloud

Friday, April 8th, 2011

Our jury’s still out, and there’s so much stuff to catch up on.  There’s the 5th Circuit’s denial of Jeff Skilling’s appeal, even though the Supreme Court had struck down the “honest services fraud” charge last summer.  We were so ready to write something about it yesterday, but work intervened, and now we’re not in the mood.  Maybe this weekend.

Instead, we’re all intrigued about the Senate hearings earlier this week on whether federal law enforcement ought to get a warrant before doing any search and seizure out there in the cloud.  Apparently, the Obama administration says the warrant requirement is just too much of a hassle.

The term “cloud computing” covers a lot of things, but for these purposes we’re talking about people storing data not on their own hard drives, but out there somewhere in the ether of the internet.  Of course, “out there somewhere” means “stored on someone else’s servers.”  Which means it’s there for the taking (or destruction) if those remote servers were to be compromised.  And of course, that means it’s out there for the seeing if law enforcement decides to go poking around in the cloud.

As the law currently stands, if an email is more than 180 days old, the feds are allowed to snag it without a warrant, under the 1986 Electronic Communications Privacy Act.  In yet another bit of Orwellian fractal weirdness, the ECPA was designed to ensure that online communications had just as much privacy protection as anything in the offline world.  (Given the erosion of Fourth Amendment protections in the brick-and-mortar world, a cynic might be tempted to crack that the ECPA has lived up to its expectations.)

As Vermont senator Patrick Leahy put it last September, when the Senate first starting considering changes to the ECPA, the statute

was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times

Think of it this way:  You’re storing your emails on a third party’s servers.  Isn’t there some lessening of your privacy expectations in that situation?  And on top of that, until maybe six or seven years ago, it wasn’t that outrageous to deem emails left on a third party’s servers for more than six months — instead of storing them to one’s own hard drive or local server for preservation — to be “abandoned.”  AOL users lost their emails after just a month or so.  If you didn’t actively save it to your hard drive, you didn’t want it.  (Forget, of course, the user’s reasonable expectation that the email would no longer exist in the first place.  Do not waste brain cells wondering whether one can abandon something that one believes to have already been destroyed.)

The point is, the law sort of made sense back in the 80s.  And it still kinda made sense when Google was new and Facebook was still in the future.

But now, things have changed.  In ways that are both dramatic and obvious to anyone who might be reading this post.  Now, by default, the vast majority of users do not store their emails locally (if they even know how to do so).  Emails are almost always accessed through a third party’s servers.  Almost nobody downloads their emails — and even if they do, the original remains on the server.

The vast majority of users expect that their emails, protected by their usernames and passwords, will remain private.  Even though the emails are stored out there in the cloud, the ordinary reasonable expectation is that they are private.

As we all know, the Fourth Amendment prohibits the search and seizure of stuff where there is a reasonable expectation of privacy, unless law enforcement gets a warrant based on a showing of probable cause to believe that particular evidence of a particular crime will be discovered by the search.  (For those of you desiring a quick primer on the various exceptions that apply, you can certainly do worse than to listen to N. Burney and G. Mehler’s brilliant CLE lecture, “Search and Seizure in 60 Minutes“)

The exceptions to the Fourth Amendment essentially boil down to situations where the evidence would cease to exist if a warrant were sought, or there’s some other thing we want the police to be able to do (such as make sure people are safe) that might be deterred if they weren’t allowed to use evidence observed in the process.  None of the exceptions are based on a policy of “we probably wouldn’t have probable cause to search in the first place.”

But that is precisely the policy offered by the Obama administration this week.  We kid you not.  Here’s associate deputy attorney general James A. Baker, testifying on why the administration doesn’t want to have to get a warrant to search the cloud:

In order to obtain a search warrant for a particular e-mail account, law enforcement has to establish probable cause to believe that evidence will be found in that particular account. In some cases, this link can be hard to establish.

And if they aren’t allowed to search in cases where they cannot establish probable cause in the first place?  The consequences would be dire, he (more…)

Police Allowed Into Home, Shoot Dog and Unarmed Suspect

Thursday, October 14th, 2010

When the police ask if they can come in, SAY NO.  It doesn’t always end as badly as this, but it almost always ends badly.

When the police (or investigators from a regulatory agency, or any enforcement types) ask you questions, SAY NOTHING.  You don’t have to talk to them, and it can end badly.

If the cops are getting physical, DON’T FIGHT THEM.  You will always lose, and it’s just something else to charge you with.

Not blaming the victim here, but don’t let it happen to you.

For more useful advice — for law-abiding citizens just as much if not more than others — see this fine video called 10 Rules for Dealing with Police:

-=-=-=-=-

Credit goes to the partner, btw, who’s probably looking at a helluva lot of harassment for breaking the wall of silence.  Breaking the golden rule that Thou Shalt Not Speak Ill Of Another Cop is not a career-advancing move.

Cell Site Data — Is a Warrant Really Required?

Monday, March 23rd, 2009

cell-tower.png

The 3rd Circuit is hearing an interesting appeal on whether the government needs to get a warrant before demanding cell site data from phone companies.

Cell sites are those transmitters you see on rooftops and towers, beaming and receiving cell phone communications. Their range varies from a few blocks to a circle twenty miles across, depending on their power and local geography. When a cell phone is being used, it’s communicating with a particular cell site.

Phone company records will show what cell site was being used by a particular phone at any given time. Law enforcement often requests such records, to help narrow down possible locations for an individual using a phone. This can be particularly useful if the individual is in motion, because his signal will be picked up by a series of cell sites, which can be used to map his progress.

This is passive data, as opposed to an active “ping” whereby a signal is sent directly to a particular phone for the purpose of identifying its location.

Most phone companies will not provide real-time cell site data to law enforcement without a court order. So court orders are routinely sought, often in conjunction with pen registers (calling records which show the time and phone number for calls sent and received). 18 U.S.C. § 2703 permits such an order when there are “specific and articulable facts showing that there are reasonable grounds to believe that… the records… are relevant and material to an ongoing criminal investigation.” These are called 2703(d) orders, and are different from eavesdropping warrants requiring probable cause.

In this case, the feds asked for a 2703(d) order, but unusually did not seek real-time cell site info. Instead, they asked for an order permitting them to get historical data. They’d been investigating drug trafficking, and were tracking one subject’s phones already. During the investigation, they identified what they believed to be the phone of their subject’s supplier. Physical surveillance proving difficult, the feds wanted to see historical cell site data, to see if they could figure out how the supplier had moved around.

The magistrate denied that request, holding that a request for real-time data would have been fine, but that historical data is not permitted pursuant to a 2703(d) order.

(As an aside, the investigators learned of the supplier’s number in June 2007, but didn’t apply for the historical data until February 2008. We know the feds take an inordinate amount of time in their wire and pen applications — one reason why they do comparatively few of them — but eight or nine months is astonishing.)

The feds appealed to the district court, arguing that the magistrate’s decision was bizarre. Instead, however, the district court went further than the magistrate had, and ruled that a warrant based on probable cause would be required for such historical records.

Although we are on the defense side, it seems as though both the magistrate and the district court judge got things backwards. Real-time cell site data, one would expect, is significantly more intrusive of privacy than historical data from up to six months ago. Real-time data can be used to locate where a person is now. The law clearly permits this more invasive search to be performed with a mere order. To require a probable cause warrant for the clearly less-invasive search makes little sense.

The ACLU, meanwhile, has stepped in with an amicus brief opposing the government. They basically argue that, yes, a 2703(d) order would have been sufficient, but the magistrate had the discretion to require a probable cause warrant instead. They then argue that, no, a 2703(d) order would not have been sufficient, and in fact a probable cause warrant ought to be required for all cell site information. People don’t know their cell site data is being collected, so they have an expectation of privacy.

We’re frankly not thrilled with the quality of either side’s brief. But the ACLU wins the “silliest syllogism” award for this one: They hypothesize a subject named Bob. Bob is talking on his cell phone as he enters his office, so with real-time cell site info the police now know he’s in his office. Bob is surveilled to his house. Once inside his house, he makes another call. But without the cell-site info, the cops would have no reason to believe the cell phone never left Bob’s office. Riiiight.

This is a case of first impression in the Third Circuit. One could easily see them ruling against the feds, too.

Feds who, by the way, brought this on themselves.

Seriously. They could have simply subpoenaed the historical business records without going to a judge in the first place. Asking permission to do something novel is the best way to create a precedent saying you can’t do it. But subpoenaing already-existing business records from phone companies is strictly routine. If they’d done it that way, we’d wager that the court would even have compelled the phone company to comply, if the need arose.