Online social media site Twitter recently sued the U.S. government to allow the site to protect the privacy of its users. Generally, you see the U.S. government through the Federal Trade Commission (FTC) sues online providers and others for not complying with their privacy policies, or for releasing consumer information without their knowledge or consent.
You see the government wants the information for itself.
And Twitter is suing, complaining that the government’s routine use of “gag orders” compelling them to produce customers’ information and prohibiting them not only from notifying the customer, but also prohibiting them from even explaining the policies and requests in general terms violates the company’s First Amendment Rights.
First Things First
Let’s start with the observation that ISP’s, social networking sites and other “third party providers” transmit, store, and process information on behalf of their customers. But this is no ordinary information. This can include the most sensitive information about consumers. Their financial information. Love letters. Intimate photographs. Medical information. Attorney client and doctor patient privileged information. Confessions to priests, rabbis, imams and others. Photographs of their kids, and records of their whereabouts. Names and political affiliations of friends and relatives.
In a real sense, having access to this information provides a virtual roadmap to their lives – what they like, what they think, who they know, who they like. It’s everyone’s diary, correspondence, and activities. And it’s only getting worse with the so-called Internet of Things. Third parties will know not only when we go bad, but when our milk does as well.
Under the so-called “third party” doctrine expressed by the landmark Supreme Court case Smith v. Maryland. In Smith, the Court held that the government could access a person’s landline phone records without a warrant because the consumer had “voluntarily entrusted” these records to a third party—the phone company, and therefore took the risk that the third party would provide them to someone else – the government.
The consumer had no reasonable expectation of privacy in these voluntarily exposed records. The government has relied on this third party doctrine to, for example, obtain the contents of people’s email and other communications without a warrant or court order. Although at least one court, the Sixth Circuit Court of Appeals in United States v. Warshak, suggested that a warrant might be necessary.
So by keeping stuff with a third party – whether an email provider, an ISP, a cloud provider or otherwise (and whether in storage or temporary transmission), you give up some privacy. Certainly you make it possible for the government to seize the records.
Home Sweet Home
If the government wanted to read the contents of your diary, they would either have to get your consent, or get a search warrant, search for and find the diary, and then read it. In that case, they would have to serve a copy of the warrant on you, and provide, under Federal Rule of Criminal Procedure 14, a copy of the inventory of what was seized. You could then challenge the warrant, its scope, its execution, and could challenge the results of the warrant for privilege or constitutional grounds. That’s why you get to know it happened.
In extremely rare cases, the government can get a “no knock” warrant which allows them to enter without knocking to protect the cops or prevent the destruction of evidence.
In even rarer cases, the government can be temporarily excused from the requirement that they leave a copy of the inventory (or tell you that the warrant has been issued.) These stealth warrants are typically used in espionage or related investigations, pursuant to secret warrants issued by the Foreign Intelligence Surveillance Act. It’s very rare. Very very rare. And here’s where the third party doctrine comes into play.
While it’s rare for the government to be able to seal a search warrant, execute it surreptitiously, and search your house, car, or pockets without your knowledge or consent, they can and do conduct the same searches for your electronic stuff secretly all the time. All the time.
They do this by subpoenaing places like Google, Microsoft, AOL, Yahoo, Facebook, Twitter, Pinterest and others for your data. They then add to the subpoena a demand that these entities NOT tell you about the subpoena.
There are lots of ways for them to do this. Some legal. Some not so much.
Some statutes create a presumption of secrecy of subpoenas. The Bank Secrecy Act for example, generally prohibits banks from telling customers that they have received and complied with a demand for their records. So it’s secrecy FROM the bank, not for you.
States like Minnesota and others prohibit recipients of law enforcement subpoenas (called administrative subpoenas) from telling their customers that they got a subpoena. So a lawyer could get a subpoena for privileged client records, and would go to jail if they told their client about the subpoena. Oh, and be disbarred if they complied with the subpoena. They couldn’t even contact their client to ask of the client would be willing to waive the privilege and cooperate. Rock and a hard place, eh?
Then there’s the informal demand. When writing up a subpoena, the prosecutor or cop simply types, “YOU ARE HEREBY COMMANDED not to inform the subject about this subpoena.” It’s not a court order. It’s a request. But the recipient of the subpoena doesn’t know that. It has no legal authority whatsoever. Sometimes it’s phrased as “you are requested” not to inform the subject.
Or “you are hereby informed that telling the subject about the existence of this subpoena or demand will seriously compromise an ongoing investigation and may lead to prosecution for obstruction of justice or conspiracy…” Scared yet? This is true despite the fact that Rule 6€ of the Federal Rules of Criminal Procedure, which applies to the grand jury (and therefore to grand jury subpoenas) specifically says that, “no obligation of secrecy may be imposed on witnesses.”
Clearly cops don’t want those under investigation to know that they are being investigated. They don’t want those under investigation to be able to assert rights, challenge subpoenas, assert privileges, or know what they are doing.
In some cases, there are legitimate reasons why the subpoena should be secret. More than it would impact the investigation. Or that it would be inconvenient. More like, “people will be killed” if they know about hits.
Just like secret search warrants, these should be extraordinarily rare, and supported by specific facts presented to a judge demonstrating a genuine reason to keep the fact of the subpoena secret. We’re talking a few dozen or a hundred cases a year.
But we have the exact opposite. We have a situation where the general rule is for secrecy. For National Security and FISA investigations. For financial fraud investigations. For routine investigations. For every kind of investigation. And secrecy is the exact opposite of what we are supposed to have. Accountability.
And that’s why Twitter is suing. They want accountability. For the FBI. For themselves. For customers.
Years ago I was negotiating a contract with a cloud provider to store sensitive documents, including attorney client privileged data. We put in the normal language in the contract indicating that, if they got a subpoena or demand for our documents, they would notify us and give us an opportunity to object.
One of the problems with privileged document is that you have to object to the seizure of the documents, or the privilege is waived. The cloud provider was in no position to assert the privilege, as they had no idea what documents were privileged, and didn’t hold the privilege anyway. In the case of a secret warrant, or secret subpoena, we couldn’t assert privilege either, cause we wouldn’t know about the seizure. So there was a real chance that we could be deemed to have waived the privilege by inaction.
A creative solution.
In the cloud contract, we put in language mandating that every month the cloud provider had to sign a statement under oath indicating that they had not disclosed – voluntarily or under compulsion – any of our records to any third party. If they failed to do this, they owed us liquidated damages of $1 Million, for each month they failed to so certify, since we couldn’t really measure the actual damages without knowing the scope of the disclosure.
This means that if the government or anyone else sought and obtained a subpoena or warrant for the disclosure of our records, and told the cloud provider that they couldn’t tell us about it, all the cloud provider had to do was nothing. The following month, they couldn’t certify under oath that they had complied with the secrecy provisions of the contract.
Of course the government was free to get a court order ordering the cloud provider to commit perjury, but in my experience, courts are loath to suborn perjury. In addition, the government could also agree to pay the liquidated damages themselves, or get a court to order the liquidated damages provision to be void as against public policy. But again, this rebalances the privacy interests, and forced the government to seek secrecy only in those cases where it truly needs it.
And that’s what should happen. Secrecy of investigations can be a good thing, and can be essential. Sometimes it’s life and death. In those cases, the government should seek to obtain a protective order from a court with specific and articulable facts. Oh, and if they lie, they should go to jail There has to be accountability. And secrecy is the enemy of accountability.