There are two overarching goals in the fight for digital civil liberties: first, to establish privacy-protective legal rulings and statutes; and second, to make sure law enforcement and judges apply those standards throughout the criminal justice system. Oftentimes conversation about law reform efforts focuses on the former, but the latter is equally important, if much less examined.
Now, a rare and until today unreported ruling from the US District Court for the District of Columbia sheds light into this underexplored corner of the law. In the ruling, United States Magistrate Judge G. Michael Harvey denied several applications for surveillance orders which prosecutors filed under seal (i.e. in secret). Judge Harvey held that law enforcement officials didn’t provide sufficient “specific and articulable facts” to show that the voluminous data returned would be “relevant and material” to its investigation of a murder.
The opinion is remarkable for two reasons: first, because it upholds the evidentiary bar congress intended law enforcement to meet when it wrote the statute authorizing officials to demand our internet records from companies; and second, because unlike the surveillance order applications, the order denying them was made public.
Some background is required to understand its significance.
In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), authorizing limited forms of government surveillance of internet information. In its current form, section 2703(d) states that law enforcement may apply for court orders (called “d orders” for short) to demand internet records when officials have provided “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation” [emphasis mine]. The d order standard sits between the subpoena and the warrant. Subpoenas, which can be used to demand certain types of metadata, do not require judicial approval; warrants, on the other hand, demand a higher standard of evidence to return communications content, namely probable cause that the information returned from the search will be evidence of a crime.
As Judge Harvey observes in his July 1, 2016 opinion, Congress’ original drafting of the d order provision only required that the information returned be “relevant to a legitimate law enforcement inquiry,” a very low threshold. In 1994, eight years after the statute first became law, Congress modified it with the explicit intention to prevent what it called government “fishing expeditions.” Thus did lawmakers add the language requiring “specific and articulable facts” that the records sought be “relevant and material to an ongoing investigation.”
Congress meant what it said. But neither government agencies nor the courts listened.
Documents obtained by the national ACLU demonstrate that the Department of Justice interprets section 2703(d) very broadly, despite Congress’ clear intention to limit d order fishing expeditions. According to training documents released by the US Attorney’s office for the Southern District of New York, federal prosecutors are under the impression that d orders grant them access to a person’s entire internet history, with one fell swoop.
“[A] 2703( d) order permits the Government to compel the disclosure of all subscriber information, all transactional logs, the “to” and “from” of all email communications (a historical pen/trap and trace), buddy lists or other special services maintained on the ISP’s computers, as well as opened electronic communications or extremely old unopened email.”
Note the recurring use of the word “all.”
For their part, the courts have largely acquiesced to this approach.
In a 2012 paper on d orders, “Gagged, Sealed, and Delivered,” Magistrate Judge Stephen Smith took the rare step of issuing a public warning about the d order regime. In large part due to the excessive secrecy surrounding these orders, it’s “reasonable to infer that far more law-abiding citizens than criminals have been tracked” through d order surveillance, he wrote. In Smith’s estimation, approximately 30,000 d orders are approved each year; in the vast majority of cases, the surveillance targets never find out the government used this power to spy on them. Often the applications and orders are filed under seal, “only to be unsealed once a criminal case is filed,” as Ars Technica wrote. “If no such charges are ever brought, the search [d orders] and the affidavits defending them can remain buried in the murkiest bits of the federal court system; even knowing that they exist can be a challenge. ISPs, which are often targets of such orders, may also be forbidden from disclosing them.”
As Magistrate Smith warned back in 2012, part of the problem with this excessive secrecy is that it protects potentially unconstitutional government surveillance from constitutional appellate challenge.
Smith:
Until 2010, no appellate court had ever addressed the legal standard applicable to cell phone-tracking orders, even though magistrate judges were issuing tens of thousands of such orders every year without appellate guidance. One federal circuit court finally considered the issue in that year, but its decision raised as many questions as it answered…The first (and to date the only) appellate case reaching the constitutionality of ECPA provisions on government access to emails was finally decided in 2010, and was commenced only after a magistrate judge unsealed the underlying ECPA orders
In this context, Magistrate Judge Harvey’s decision to push back against the government’s demand for secrecy is unusual and important. In his July 1, 2016 order—which is his second denial of the government’s surveillance applications in this particular case—Harvey chastises the government for filing a second incomplete d order application seeking Gmail, Yahoo, Facebook, Hotmail, and WhatsApp account information for nine suspects. As Harvey notes, “the government’s applications include no date restrictions for the records they seek.”
“In its first set of applications, filed June 10, 2016,” Harvey writes, “the government provided only a two-sentence description of the murder and no factual information about the alleged perpetrators, the basis for the government’s belief that those individuals committed the crime, or any connection between the 21 electronic accounts and the crime under investigation. Rather the government merely alleged that ‘[i]nvestigators have learned that individuals who perpetrated the attack used or purported to use a variety of’ the 21 electronic accounts, and that the records and information sought in the applications were ‘relevant and material’ to the investigation because they ‘will help investigators learn whether and how the perpetrators of the attack communicated with each other and other co-conspirators.’”
It’s not enough to say the people the government wants to spy on are criminals, Harvey writes. Under the governing statute, vague allegations of the suspects’ involvement in a murder are insufficient. Instead, the government must show how the specific information sought—access to the suspects’ internet records, which are likely voluminous—relates to the criminal investigation of the murder.
“The government is incorrect if it believes that section 2703(d) permits the disclosure of more electronic information in cases where the government knows the least. Rather, in every case—even one involving a very serious crime, as here—disclosure under section 2703(d) requires the government to provide the Court with ‘specific and articulable facts showing that there are reasonable grounds to believe that…the records or other information sought[] are relevant and material to an ongoing criminal investigation.’” In this case, however, Harvey writes, “the government does not appear to have any idea at this point whether the records it seeks will advance its investigation; it represents only that the records may show ‘whether and how’ the subjects communicated with each other. The government’s showing in the applications really boils down to two assertions, that (1) a group of persons are suspected of committing a crime and (2) those persons (may) have email or other electronic accounts.”
That’s simply not enough to justify the broad surveillance the government sought, Harvey concludes. If the limited information in the government’s application sufficed, “there would seem to be no rational reason why the government should not receive non-content information regarding all email accounts of any suspected criminal.”
Judge Harvey’s ruling is important not just because it holds the government to the legal standard required to obtain our private information. It’s also significant because he made the ruling public. Ultimately, his ruling boils down to this: congress intentionally strengthened the 2703(d) statute to prevent fishing expeditions, so don’t expect me to authorize a court order granting one. That’s a message the public and other courts need to hear, loud and clear.