Internet use among adults age 18 + has become the social norm. As of March 2014, 87% of the population (277,436,130) uses the internet. Many of these users access social media websites like Facebook. Facebook has quickly become the most widely used social media website in the United States. As of the 2014, 71% of American internet-users (196,979,652) say they utilize the social media website. Moreover, of the 71% of internet users in the United States, 70% report they use the website on a daily basis. In total, a whopping 137,885,756 Americans check or post on Facebook daily.
Specifically, the New York Supreme Court Appellate Division explained that the Internet Service Provider (ISP) did not have statutory authority found in the Stored Communications Act (SCA) § 2703 to file pre-enforcement motions against warrants. The SCA allows for only subpoenas and court orders to be challenged prior to enforcement. This decision, while sound legal theory based on current statute, is cause for concern among privacy advocates for a couple of reasons. First, the broad, sweeping nature of the warrants enables irrelevant personal information to be seized. Second, the statutory ability of an ISP to contest subpoenas/court orders, but not search warrants.
The first point of concern is the broad nature of the warrants themselves. Probable cause for the warrants of each of the 381 users was provided by one, ninety-three page affidavit. While this is not immediate cause for concern, it is disconcerting when viewed in the light of the actual number of users charged as a result of the account seizures. While a New York judge found there was sufficient probable cause, the number of charged defendants from the search warrants was a mere 62. Assumedly, this means there was not sufficient evidence found in the other 319 user accounts and, consequently, these users had their personal correspondence and pictures seized in vein. Yet, based upon current precedent, this broad seizure of material is legal. As the Supreme Court of New York stated in the 2013 case, “the relevance or irrelevance of items seized within the scope of a search warrant may be unclear and require further investigatory steps.” This precedent would make sense in most contexts, but becomes dubious when the mass amount of data gathered is a user’s most personal information. Again, considering the small percentage of users charged via the warrants, a large amount of irrelevant personal information was undoubtedly seized. The court in 2015 even agreed that users “share more intimate personal info through their accounts than may be revealed through rummaging one’s home.” Moreover, according to Chris Sonderby, Facebook’s General Counsel, the warrants contained no date restrictions and allow the government to keep the seized data indefinitely.
This sets a concerning precedent for future mass “data dragnets” by the DA’s office considering the number of people utilizing social media, as well as the amount of personal information found on these websites. In the 2015 opinion, the court recognized that “Fourth Amendment protections are weaker in the digital context,” but then, within the same document, admitted that “Facebook users share more intimate personal info through their accounts than may be revealed through rummaging one’s home.” Thus, should stricter scrutiny be utilized for these broad electronic search warrants? Another facet that causes one to ask this question is that this situation is indicative of a growing trend by United States law enforcement. The U.S. leads the world in these types of Facebook seizures. Law enforcement in the United States utilizes Facebook seizures almost three times as much as the next country on the list. In fact, law enforcement in this country used 14,274 requests to seize 21,731 accounts from July 2014-December 2014 alone. This number is more than the four closest nations (France, UK, India, and Germany) on the list combined.
A second point of concern arises from the statutory construction of the SCA itself. Currently, it leaves wide latitude for District Attorney Offices when they have a warrant because of the inability of an ISP to challenge them until the accounts are seized. The SCA gives three ways to obtain electronic information: (1) An administrative, grand jury or trial subpoena (see §2703(c) (2)); (2) A court order issued pursuant to § 2703(d); or (3) A search warrant (see § 2703(a)). Subpoenas are used in this context to obtain subscriber information like names, addresses, and credit card information. Court orders are used to gather transactional data (when the account is accessed, services used, and length of time online. Finally, warrants are utilized for stored electronic communications like Facebook accounts.
The court explained that an ISP can only challenge court orders or subpoenas prior to execution, not warrants. This is per se reasonable because probable cause is required for a warrant, while “specific and articulable facts” that there are “reasonable grounds to believe” the information desired will be “relevant and material” are the only requirements for court orders and subpoenas. Yet, the warrants in this case are pertaining to personal information on a social media website; a website where the court admits “users share more intimate personal information through their Facebook accounts than may be revealed through rummaging about one’s home.” The probable cause standard for these warrants is a relatively strong privacy safeguard, but should the SCA allow a pre-enforcement challenge when this quantity of personal information is being collected? This contention seems reasonable when such warrants involve 381 individuals and, in the end, sufficient evidence was only found for 62 of them. Without a pre-enforcement ability, an ISP is forced to let the government vitiate the privacy of its users and can only step in once the damage is done. These ISPs must either comply and lose the trust of consumers, or not comply and face contempt charges.
The SCA, however, is not without its positive aspects. One benevolent characteristic of the SCA that the court points out is that without it, ISPs would be governed by the outdated “Third Party Doctrine” established by Smith v. Maryland (holding limited information that people voluntarily share with third-party businesses can be accessed by law enforcement without a warrant, only subpoena and prior notice are needed)1. This 1979 decision paved the way for the NSA’s telephone metadata collection program that Snowden exposed. Ostensibly, the SCA creates privacy protections analogous to Fourth Amendment protections for digital communications stored on the internet. Thus, the passage of the SCA is certainly a step towards cementing online privacy in a world where more personal information is found online than in one’s home; yet, in its current construction, it still has room for improvement.
Given the current social media status quo, this litigation should serve as a warning to those divulging personal information on social media. Even more important is the warning that District Attorney Offices may seize and access your accounts for an indefinite period of time. Even in the event the District Attorney Office does not find sufficient evidence to charge you with a crime, much like the 319 individuals who were not charged after their accounts were seized, there are few limitations on their access once the social media accounts are seized.
By Joseph Collins
CLP Senior Staffer
1(see also Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Michigan L Rev 561 ).