What Not to Do with a Subpoena
By now you've all probably heard about the court order that the U.S. Department of Justice served on Twitter last December, and which Twitter successfully fought to have unsealed so that it could notify the affected subscribers - among whom are Dutch entrepreneur and privacy activist Rop Gonggrijp, Icelandic parliament member Birgitta Jonsdottir, and Tor Project evangelist Jacob Appelbaum. There is a good deal of FUD going around about what has actually been requested, and this time I'm not going to debunk it myself, as Christopher Soghoian has already done so admirably in the article linked in the previous sentence.
Instead, I'm going to tell you about my own experiences in the land of 18 USC § 2701 et seq, sometimes referred to as the Stored Communications Act portion of the Electronic Communications Privacy Act - and how they're directly analogous to the ECPA and Fourth Amendment issues raised in the matter of the Twitter court order. Oh, and also how we won. I hope that they prove instructive.
In February 2009, my website and email were hosted on monkeyblade.net, a machine coloed and run by John "warthog9" Hawley, who's also the sysadmin of kernel.org. I knew John from my grad school days at the University of Iowa, where he was an undergrad; he also hosted sites for a few other folks from the university ACM chapter. At that point he'd been hosting me since mid-2004.
That situation quickly changed, however, when John discovered that I was embroiled in a legal issue with the California Army National Guard, and had opted to conduct my defense from my residence in Belgium rather than go to court in the U.S. with a legal team that had admitted to me that it was unprepared to defend me adequately. In light of some remarks John made on LiveJournal about my situation, I decided it was time to find alternate hosting options. I backed up my mail and site, made arrangements to transfer my domain and data to another machine (the excellent snugharbor.com, run by our own lwood ), and began the tedious process of /usr/bin/shred'ing those files of mine still on John's box, as one does when one is vacating a machine.
I found myself locked out of my account on monkeyblade.net shortly thereafter, and on February 11th I received an email from John with an attachment: a subpoena duces tecum, dated February 4th, demanding "the electronic mail (e-mail) account of 2LT Meridith (sic) Patterson from 1 JAN 2006 until present." John also informed me that he had already provided the requested data.
Needless to say, this is not how you are supposed to do it.
Consider, if you will, the California Rules of Civil Procedure § 1985.3(b). Herein, it states that when a consumer's personal records are being subpoenaed from an entity that is acting as custodian of those records, the consumer must be notified not less than 10 days prior to the date the documents must be produced. (The subpoena indicates that if John sent in the records within five days, he wouldn't need to appear in court; in any case, from his own admission it appears that John sent them within seven days of the date the subpoena was issued.) It also says that the consumer, i.e., me, must be notified "at least five days prior to service upon the custodian of the records", i.e., John. Obviously, neither of these things happened.
Now, you might object that a National Guard case would follow the procedural rules of the Uniform Code of Military Justice, not the CRCP, and you'd actually be right. I include this as an example of why it's important to double-check that any subpoena, court order, or even warrant you're served with is procedurally valid. Furthermore, as you'll soon see, the prosecution's failure in execution actually played very little role in the outcome of my situation - and the UCMJ, or more properly the Military Rules of Evidence, may play a large role in the outcome of the Twitter situation.
So there I was, in Belgium, with three years' worth of my email in the hands of a prosecutor. During that time, I'd used those accounts for both personal and professional communications - with employers, professors, friends, my husband, my company's lawyers, co-authors, relatives, all sorts of things. Most were private (the mailing lists weren't), arguably everything was irrelevant to the case at hand, and a large fraction was privileged communication of one form or another.
This is what is casually known as a "fishing expedition". For what, I'm still honestly not sure. But there it is.
Meanwhile, I lucked into an excellent pro bono replacement legal team thanks to the help of my corporate law firm, and they quickly filed a motion to quash the subpoena. The note on page 2 about the standard and burden of proof set the tone; their goal was to have the surrendered evidence ruled inadmissible. Briefly, they argued that:
Moving on to March 6, 2009, the prosecution responded. He made special note of the fact that John Hawley was at that point providing me with service on a non-commercial basis - which is true, and serves in the end to apply the same Fourth Amendment and Federal legal protections that clearly apply to ISP customers to users of shell accounts provided on a casual basis. (To my knowledge, this is the first time this particular circumstance has come up in the courts.) He also tried to claim that because I hadn't asserted or otherwise documented that I had an expectation of privacy in my email, I therefore had none. (The judge shot this down on the grounds of monkeyblade.net's own Terms of Service, which in part had to do with password security; given that Twitter accounts are also password-protected, there would seem to be a similar expectation of privacy in any private communications facilitated and stored by Twitter.)
The rest of his argument amounts to "this motion to quash should be denied because it would be so inconvenient for the government otherwise," although it is a bit eyebrow-raising to note the following on pages 16-17:Even if 18 U.S.C. 2701 was applicable under subsection (c) the following exception is applicable in this case:
(c) Exceptions: Subsection (a) of this section does not apply with respect to conduct authorized-
(1) by the person or entity providing a wire or electronic communications service
In the present case John Hawley is the host of 2LT Patterson's email. It is Hawley who is accessing the information and he consents to the accessing of this information. This position is supported by Hawley's contacting government counsel, informing government counsel of the existence of 2LT Patterson's email, coping (sic) of the email onto a compact disk and forwarding this disk to the government.
In other words, he's trying to claim that voluntary consent from the service provider is sufficient to disclose the stored communications of a user of that service. (Compliance will be rewarded, Citizen! Have a Bouncy Bubble Beverage.) I have to wonder how many times this argument has been tried that we haven't heard about, and how many people have fallen for it. For what it's worth, my lawyers' reply brief discusses this in detail, citing Freedman v. America Online. Sysadmins, listen up: the fact that the government is asking does not mean it's necessarily a lawful request on their part. Do like Twitter, and consult with counsel first.
Finally, Judge James K. McFetridge ruled on the motion to quash. He found that the issuing of the subpoena triggered my Fourth Amendment protections, and that the ECPA required "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or other electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation," which the government failed to meet. He also found that the subpoena was overbroad, even though he probably didn't have to, and ordered that the documents Hawley produced be returned to my counsel.
The court order in the Twitter matter claims that reasonable grounds have been articulated; they are not, however, detailed in the order, so perhaps the briefs that influenced the decision to issue the order haven't come to light yet. Presumably someone will invoke due process in an effort to find out what they are. As well, the issue of stored communications less than 181 days old remains, along with the Fourth Amendment trigger. Like U.S. v. Warshak, this is shaping up to be a case that clarifies some grey areas in the ECPA.
It remains to be seen whether the U.S. Department of Justice will be able to surpass 1LT Stone's degree of legal sophistication in its response to the motions to quash that are likely forthcoming from Jonsdottir, Gonggrijp and Appelbaum. (Short answer: probably.) Twitter generally seems to have its bases covered; it's everyone else who needs to be paying attention. There's a great deal of speculation about whether Google and Facebook have also received sealed court orders, but I've also heard anecdotal reports - that may or may not have anything to do with the case the Twitter order relates to - of university sysadmins surrendering users' account information and emails to government request. (My sources did not know whether these requests were warrants, court orders, subpoenas, or sternly worded remarks on official letterhead.) Many small-scale sysadmins - at startups, for instance - don't have access to legal counsel like sysadmins at big corporations do, and it's incumbent on all of us to know our responsibilities to users under the law.
What this all suggests, then, is that there will - or at least should - be a great deal of attention paid to the provenance of the evidence in the upcoming trial of Bradley Manning. (Manning's also named in the order, and I concur with the general observation that the interest in Jonsdottir et al relates to the Collateral Murder video.) Any sloppiness on the part of the prosecution with regard to evidence-gathering may very well end up parlayed into actions that render sloppily-seized evidence entirely inadmissible under the Military Rules of Evidence 311(e). (Told you it was relevant!)
One question that my case doesn't address at all is whether evidence that has been ruled inadmissible due to improper process, Fourth Amendment violation or whatever can be reintroduced pursuant to the issuance of a valid search warrant. The prosecution never tried and I don't know whether the "fruit of the poisonous tree" doctrine applies here. I get the impression that Twitter hasn't surrendered any data yet, so that point may be moot anyway, but I'm curious whether it might be an issue for other affected providers.
Another question that never fully took shape in my case was that of liability on the part of the service provider. 18 USC § 2703(e) protects providers from any cause of action stemming from their disclosing data in accordance with the terms of a court order, warrant, or subpoena, but this leaves open the question of whether a provider is open to liability if it complies with an unlawful action, which the Twitter court order may be found to be. Would Facebook be liable if it complied with a sealed court order later found to be unlawful? Would John Hawley?
So, as is typical with cases that are likely to be landmarks, such as Manning's, there are a lot of open questions. But the Department of Justice faces an uphill battle on Fourth Amendment grounds, and the outcome of the matter directly at hand will shape privacy case law for years to come. It's going to be an interesting fight.
Instead, I'm going to tell you about my own experiences in the land of 18 USC § 2701 et seq, sometimes referred to as the Stored Communications Act portion of the Electronic Communications Privacy Act - and how they're directly analogous to the ECPA and Fourth Amendment issues raised in the matter of the Twitter court order. Oh, and also how we won. I hope that they prove instructive.
In February 2009, my website and email were hosted on monkeyblade.net, a machine coloed and run by John "warthog9" Hawley, who's also the sysadmin of kernel.org. I knew John from my grad school days at the University of Iowa, where he was an undergrad; he also hosted sites for a few other folks from the university ACM chapter. At that point he'd been hosting me since mid-2004.
That situation quickly changed, however, when John discovered that I was embroiled in a legal issue with the California Army National Guard, and had opted to conduct my defense from my residence in Belgium rather than go to court in the U.S. with a legal team that had admitted to me that it was unprepared to defend me adequately. In light of some remarks John made on LiveJournal about my situation, I decided it was time to find alternate hosting options. I backed up my mail and site, made arrangements to transfer my domain and data to another machine (the excellent snugharbor.com, run by our own lwood ), and began the tedious process of /usr/bin/shred'ing those files of mine still on John's box, as one does when one is vacating a machine.
I found myself locked out of my account on monkeyblade.net shortly thereafter, and on February 11th I received an email from John with an attachment: a subpoena duces tecum, dated February 4th, demanding "the electronic mail (e-mail) account of 2LT Meridith (sic) Patterson from 1 JAN 2006 until present." John also informed me that he had already provided the requested data.
Needless to say, this is not how you are supposed to do it.
Consider, if you will, the California Rules of Civil Procedure § 1985.3(b). Herein, it states that when a consumer's personal records are being subpoenaed from an entity that is acting as custodian of those records, the consumer must be notified not less than 10 days prior to the date the documents must be produced. (The subpoena indicates that if John sent in the records within five days, he wouldn't need to appear in court; in any case, from his own admission it appears that John sent them within seven days of the date the subpoena was issued.) It also says that the consumer, i.e., me, must be notified "at least five days prior to service upon the custodian of the records", i.e., John. Obviously, neither of these things happened.
Now, you might object that a National Guard case would follow the procedural rules of the Uniform Code of Military Justice, not the CRCP, and you'd actually be right. I include this as an example of why it's important to double-check that any subpoena, court order, or even warrant you're served with is procedurally valid. Furthermore, as you'll soon see, the prosecution's failure in execution actually played very little role in the outcome of my situation - and the UCMJ, or more properly the Military Rules of Evidence, may play a large role in the outcome of the Twitter situation.
So there I was, in Belgium, with three years' worth of my email in the hands of a prosecutor. During that time, I'd used those accounts for both personal and professional communications - with employers, professors, friends, my husband, my company's lawyers, co-authors, relatives, all sorts of things. Most were private (the mailing lists weren't), arguably everything was irrelevant to the case at hand, and a large fraction was privileged communication of one form or another.
This is what is casually known as a "fishing expedition". For what, I'm still honestly not sure. But there it is.
Meanwhile, I lucked into an excellent pro bono replacement legal team thanks to the help of my corporate law firm, and they quickly filed a motion to quash the subpoena. The note on page 2 about the standard and burden of proof set the tone; their goal was to have the surrendered evidence ruled inadmissible. Briefly, they argued that:
- the request for three years of my mail was overbroad and amounted to "the Government using the subpoena as a discovery mechanism"
- I had a reasonable expectation of privacy in my email, and my Fourth Amendment rights had been violated since no search warrant was issued
- 18 USC § 2703(a) provides that the Government must obtain a search warrant to obtain emails fewer than 181 days old, and § 2703(b) requires the Government to obtain a search warrant or obtain a subpoena/court order and notify the network service provider customer to obtain emails more than 180 days old.
Moving on to March 6, 2009, the prosecution responded. He made special note of the fact that John Hawley was at that point providing me with service on a non-commercial basis - which is true, and serves in the end to apply the same Fourth Amendment and Federal legal protections that clearly apply to ISP customers to users of shell accounts provided on a casual basis. (To my knowledge, this is the first time this particular circumstance has come up in the courts.) He also tried to claim that because I hadn't asserted or otherwise documented that I had an expectation of privacy in my email, I therefore had none. (The judge shot this down on the grounds of monkeyblade.net's own Terms of Service, which in part had to do with password security; given that Twitter accounts are also password-protected, there would seem to be a similar expectation of privacy in any private communications facilitated and stored by Twitter.)
The rest of his argument amounts to "this motion to quash should be denied because it would be so inconvenient for the government otherwise," although it is a bit eyebrow-raising to note the following on pages 16-17:Even if 18 U.S.C. 2701 was applicable under subsection (c) the following exception is applicable in this case:
(c) Exceptions: Subsection (a) of this section does not apply with respect to conduct authorized-
(1) by the person or entity providing a wire or electronic communications service
In the present case John Hawley is the host of 2LT Patterson's email. It is Hawley who is accessing the information and he consents to the accessing of this information. This position is supported by Hawley's contacting government counsel, informing government counsel of the existence of 2LT Patterson's email, coping (sic) of the email onto a compact disk and forwarding this disk to the government.
In other words, he's trying to claim that voluntary consent from the service provider is sufficient to disclose the stored communications of a user of that service. (Compliance will be rewarded, Citizen! Have a Bouncy Bubble Beverage.) I have to wonder how many times this argument has been tried that we haven't heard about, and how many people have fallen for it. For what it's worth, my lawyers' reply brief discusses this in detail, citing Freedman v. America Online. Sysadmins, listen up: the fact that the government is asking does not mean it's necessarily a lawful request on their part. Do like Twitter, and consult with counsel first.
Finally, Judge James K. McFetridge ruled on the motion to quash. He found that the issuing of the subpoena triggered my Fourth Amendment protections, and that the ECPA required "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or other electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation," which the government failed to meet. He also found that the subpoena was overbroad, even though he probably didn't have to, and ordered that the documents Hawley produced be returned to my counsel.
The court order in the Twitter matter claims that reasonable grounds have been articulated; they are not, however, detailed in the order, so perhaps the briefs that influenced the decision to issue the order haven't come to light yet. Presumably someone will invoke due process in an effort to find out what they are. As well, the issue of stored communications less than 181 days old remains, along with the Fourth Amendment trigger. Like U.S. v. Warshak, this is shaping up to be a case that clarifies some grey areas in the ECPA.
It remains to be seen whether the U.S. Department of Justice will be able to surpass 1LT Stone's degree of legal sophistication in its response to the motions to quash that are likely forthcoming from Jonsdottir, Gonggrijp and Appelbaum. (Short answer: probably.) Twitter generally seems to have its bases covered; it's everyone else who needs to be paying attention. There's a great deal of speculation about whether Google and Facebook have also received sealed court orders, but I've also heard anecdotal reports - that may or may not have anything to do with the case the Twitter order relates to - of university sysadmins surrendering users' account information and emails to government request. (My sources did not know whether these requests were warrants, court orders, subpoenas, or sternly worded remarks on official letterhead.) Many small-scale sysadmins - at startups, for instance - don't have access to legal counsel like sysadmins at big corporations do, and it's incumbent on all of us to know our responsibilities to users under the law.
What this all suggests, then, is that there will - or at least should - be a great deal of attention paid to the provenance of the evidence in the upcoming trial of Bradley Manning. (Manning's also named in the order, and I concur with the general observation that the interest in Jonsdottir et al relates to the Collateral Murder video.) Any sloppiness on the part of the prosecution with regard to evidence-gathering may very well end up parlayed into actions that render sloppily-seized evidence entirely inadmissible under the Military Rules of Evidence 311(e). (Told you it was relevant!)
One question that my case doesn't address at all is whether evidence that has been ruled inadmissible due to improper process, Fourth Amendment violation or whatever can be reintroduced pursuant to the issuance of a valid search warrant. The prosecution never tried and I don't know whether the "fruit of the poisonous tree" doctrine applies here. I get the impression that Twitter hasn't surrendered any data yet, so that point may be moot anyway, but I'm curious whether it might be an issue for other affected providers.
Another question that never fully took shape in my case was that of liability on the part of the service provider. 18 USC § 2703(e) protects providers from any cause of action stemming from their disclosing data in accordance with the terms of a court order, warrant, or subpoena, but this leaves open the question of whether a provider is open to liability if it complies with an unlawful action, which the Twitter court order may be found to be. Would Facebook be liable if it complied with a sealed court order later found to be unlawful? Would John Hawley?
So, as is typical with cases that are likely to be landmarks, such as Manning's, there are a lot of open questions. But the Department of Justice faces an uphill battle on Fourth Amendment grounds, and the outcome of the matter directly at hand will shape privacy case law for years to come. It's going to be an interesting fight.