A report on Fox News’ website describes the grand jury subpoena issued for the seizure and search of a laptop computer assertedly belonging to former Vice President Joe Biden’s son, Hunter. For all of the intrigue around the contents of the laptop, its provenance, and whether there is or is not evidence of corruption or criminal activity contained on the laptop, the manner in which the laptop was delivered to the FBI is – well — strange.
Hunter Biden’s Laptop
According to published reports, Hunter Biden (or someone on his behalf) dropped off three water damaged laptop computers for repair, and then abandoned these laptops by not coming back to the repair shop. The owner then determined (under the contract for repair, I assume) that both the laptops and the contents thereof were abandoned, and that he had free reign to do whatever he wanted with these computers. Maybe. Maybe not.
If the documents on the Fox website are accurate (and there is currently no reason to believe that they are not – ok, there’s some reason, but stay with me here), sometime before December 9, 2019, the owner of the repair shop contacted the Wilmington, Delaware office of the FBI and described the contents of the laptop sufficiently for the FBI to have an interest in the contents. They then convinced the United States Attorney’s Office for the District of Delaware to “open” a grand jury investigation of some criminal offense, and caused a grand jury subpoena to be issued on December 9, 2019 to the repair shop calling for the shop to produce the laptops to the grand jury on December 17, 2019. While the subpoena duces tecum (subpoena to produce documents or records) would technically have required the shop owner to appear before the grand jury on December 17, typically what happens is that the FBI agent hands the witness the subpoena, and the witness hands over the documents (or laptop). Easy peasy lemon squeezy.
But the choice of a grand jury subpoena in this case is — well, bizarre. A subpoena is a compulsory process – enforceable by either a motion to compel or a sanction of contempt. It’s what you use to force someone to produce a document or record that is in their possession, custody or control, that they typically don’t want to produce. There are such things as “friendly” subpoenas – that is a “CYA” subpoena to an entity that wants to produce a document or record but wants to be able to tell someone else (typically shareholders or third parties) that they had “no choice” but to produce the document. But if someone is willing to hand you evidence of a crime, there’s little point in taking the time and effort to get a subpoena from a grand jury. Technically, to get a grand jury subpoena, you are supposed to inform the grand jury that you are investigating a particular matter or subject, get their permission to issue subpoenas on their behalf, get the subpoena signed by a judge, served on the party, and “returned” to the grand jury which receives the evidence. But that’s not how it actually works. The AUSA pulls a signed subpoena out of their desk (or just gives it to the FBI agent) who fills it out and faxes it to the entity that it wants to produce the records. The Court and the grand jury (which is technically a judicial body) know nothing about the fact that the subpoena was issued in its name. Again, easy peasy lemon squeezy.
If You’ve Got A Warrant I Guess You’re Going to Come In
There are, however, good reasons to get a search warrant from a judge even for evidence that someone is willing to hand to you voluntarily.
Under the law, there is a difference between having the ability to comply with an order to produce records or the ability to voluntarily produce them and having the right to do so. Typically, subpoenas call for production of records that are in the recipient’s “possession, custody and control.” So you can be forced to produce records that are not yours, if they are in your “possession, custody and control.” But it’s not so simple. For example, in Carpenter v. United States, the U.S. Supreme Court held that, although a cell company was in possession, custody and control over cell site location data (indeed, it was their own data), the government could not simply subpoena those records because the data subject retained a reasonable expectation of privacy over what those records would reveal. Therefore, the court opined, a search warrant supported by probable cause (more likely than not that a crime had been committed) was necessary. So, if you hold documents or records for or about a third party, and that third party retains a reasonable expectation of privacy in the contents of those records or in what those records may reveal, even though you have the ability to turn over the records (e.g., the cell site data or Hunter Biden’s laptop), you may not have the legal authority to do so. In the case of Hunter Biden’s laptop, it may come down to whether or not he truly abandoned the property, and the extent to which the store owner attempted to contact him. It gets into complicated questions of the law of bailments, the nature of the contract with the store owner, the question of whether the store owner “accessed the computer” in excess of authorization, and similar questions. The important thing to note here is that, for the purposes of Hunter Biden’s privacy rights, there is no difference between the store owner voluntarily producing the records and doing so in response to a subpoena unless — and this is a big unless — the contract between Biden and the store owner contained a typical NDA clause.
NDA’s
When information is shared between parties, they often enter into NonDisclosure Agreements or NDAs. Typically these set out what data is to be considered confidential, what each party may do with the shared data (typically they can use if “for the purposes for which the data was shared”) the parties respective duties to protect, secure and delete the shared data and the like. They also may include a “compulsory process” clause — language that says that the data recipient may also disclose the data if they are compelled to do so by court order. A subpoena is a court order. Kinda, sorta. Well written “compulsory process” clauses will require the recipient of a subpoena or court order to notify the data owner (disclosing party) of the order and give them the opportunity to raise privileges, defenses, or objections to the production of the documents. Even more well crafted clauses may contain what are called “data canaries” – clauses that permit the disclosure of the subpoena or warrant even in spite of a court order precluding the disclosure of the existence of the warrant or subpoena. The data canary works by negative inference — the holder of the data certifies on a daily, weekly or other basis that they have NOT disclosed the data. When they get the subpoena, they simply stop certifying. Pretty nifty. What these NDA’s recognize is the fact that, while the receiving party has possession, custody or control of the disclosing party’s data, the disclosing party either owns or retains a privacy interest in the data. In the case of Hunter Biden’s laptop, the store may have possession of the laptop and access to the data files, but it’s still Hunter Biden’s laptop, and he retains a reasonable expectation of privacy in it. It’s easier to make that case if there was a contract between Biden and the repair shop that addressed this issue — which there probably was not.
Subpoena v Warrant
In the absence of clear language, and in the absence of clear evidence of “abandonment” of the contents of the laptop, the FBI takes possession of the laptop from the shop at some legal peril. Just like the cell site data in Carpenter, they run the risk that a Court will find that the store had no legal authority to give the contents of the emails on the laptop to the FBI and that the mere subpoena was insufficient to override the laptop owner’s reasonable expectation of privacy.
In the Robert Morris prosecution 1,000 years ago, the perpetrator of a worm program that essentially shut down the Internet in 1988 developed and perfected the worm on computers owned by Cornell University where he was a student. Cornell “seized” Morris’ files on the network, including his emails, and offered these files voluntarily to the government as evidence. We declined, and obtained a search warrant which we handed to Cornell in return for the files they had already segregated. That way, we avoided issues of whether Cornell had a right to read or disclose Morris’s files or emails. The search warrant assumes privacy interests but overrides them. No so with a subpoena.
So the choice to subpoena Hunter Biden’s laptop was an unusual one, assuming you had a willing shop owner who was agreeing to voluntarily produce a device that he was lawfully in possession of, and for which he had a legal right to disclose. If the shop owner had no legal right to disclose, then, for the most part, the subpoena does not cure the problem. But a search warrant would. One possible conclusion is that the FBI and USAO did not believe that they had sufficient probable cause to believe that both a crime had been committed and that there was evidence of that crime on the laptop. But they weren’t coming in there blind (pun intended). The owner of the shop had already examined the contents of the laptop, and presumably had described them to the FBI. The FBI would be working to confirm what the shop owner told them, and look for other criminal evidence. A search warrant (if they had probable cause) would be much better for legal reasons than a subpoena.
There are a few reasons that a subpoena might be necessary. If the shop owner simply called the FBI and said, “I see possible crimes here, but I can’t tell you what I see” and insisted on a compulsory process before producing the records, a subpoena would compel the production. If the contract said that the contents could not be disclosed without a subpoena, again, a subpoena would be necessary and appropriate. But if there was any question about the privacy rights of Hunter Biden, under the Carpenter precedent, a warrant (if available) should have been obtained.
What does this mean for digital data? Most companies are custodians of data for third parties. This could be under data sharing agreements with others, NDA’s, privacy policies, or other agreements. Even if we suspect that this data is evidence of some criminal activity, before we disclose it to the police, we need to make sure that we have some legal right (and examine our legal obligations) to do so. Sometimes we are allowed (or required) to voluntarily disclose data, sometimes we are prohibited from doing so. Sometimes we must comply with a subpoena, sometimes we should or must resist. As custodians of others’ data, we must protect it. Not just from hackers, but from other forms of intrusion. That’s the nature of the beast these days.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.