Microsoft is once again making headlines via litigation over government’s use of the Stored Communications Act. For the past two years, it was Microsoft’s lawsuit challenging the government’s reliance on the warrant authority to reach data held outside the United States (the so-called Microsoft Ireland case, which I have written about here, here, and here). Now Microsoft is objecting to governmental orders precluding the company from telling its customers that their data has been searched or seized by law enforcement. (Link to their complaint is here.)
And the claim is compelling: Of the 5,624 demands for customer information or data between September 2014 and March 2016, approximately one-third (1,752) were accompanied by orders indefinitely barring Microsoft from disclosing the law enforcement request to their customers. Another 824 included such “secrecy orders,” but with time limits. Microsoft says that these orders violate their First Amendment rights. And it says that the orders violate the Fourth Amendment rights of their customers. I agree — but only in part.
But there is also room for optimism: The issue is one that may be short-lived. The Email Privacy Act, which passed the House Judiciary Committee yesterday by a vote of 28-0, addresses the key problem, at least in part. Let me explain.
First, the legal backdrop. When law enforcement agents search or seize one’s property, they are generally required to provide notice to the target of the search or seizure. It is a requirement that stems from a combination of both the Fourth Amendment and Due Process Clause.
That said, notice need not always be immediate. So-called “sneak and peak” warrants, for example, authorize the government to delay notice, but not indefinitely. (They also are, as their nickname suggests, geared towards peaking only; they preclude the seizure of any stored wire or electronic communication.) The Wiretap Act allows the government to listen to communications without notifying the target until 90 days after the interception has been completed. And the Stored Communications Act (SCA) permits the government to delay target notice for up to 90 days when it compels the production of stored communications; after 90 days, however, the government is either obliged to give notice or obtain an up-to 90 day extension. These provisions are not directly at issue in this litigation (although Microsoft’s claims rest, in part, on an argument that the SCA’s standard justifying a notification delay is overbroad; this is, as explained below, not a convincing part of its case).
What is at stake is a provision of the SCA that, also pursuant to court order, allows the government to preclude Microsoft (or any other communications service provider) from telling its customers that their data has been requested and/or turned over to law enforcement officials. These so-called “secrecy orders” — issued pursuant to 18 U.S.C. 2705(b) — are not subject to any statutorily imposed time limits; any such time limits are up to the court. According to Microsoft, it received over 2,500 such secrecy orders in the 18-month period ending in March 2016; 1,752 of these orders include no time limits. And Microsoft now claims that the statute at issue is facially invalid.
Second, the analysis: The Fourth Amendment. Microsoft’s Fourth Amendment claim centers on the absence of notice to its customers. While I am not convinced that Microsoft has made out a case for facial invalidation (and putting to a side the separate standing issue), I am convinced that there is a significant Fourth Amendment problem in the way the statute has been applied.
The problem stems from the interaction of the delayed notification provision with yet another provision of the SCA — namely 18 U.S.C. 2703(b)(1)(A). This provision allows the government to compel — via warrant and without notice to the target — the content of communications that have been in storage for more than 180 days (if held by an electronic communications provider, such as Microsoft, and regardless as to how long it has been stored if held by a remote communications provider). If the government obtains data via a no-notice warrant and imposes on Microsoft an indefinite prohibition on providing its customer notice, then the customer receives no notice from anyone. And we have a Fourth Amendment problem.
The solution, however, is not a facial invalidation of the statutory provision, but an as-applied challenge based on these facts. Importantly, Microsoft’s complaint also does not quantify how many of the indefinite “secrecy orders” were issued in conjunction with these no-notice warrants. That information is important to the evaluation of Microsoft’s claim. Moreover, alternative applications of the secrecy provisions that result in delayed (as opposed to the total absence of) notice does not, for the reasons stated below, necessarily yield a Fourth Amendment violation (although it may in certain cases).
Third, analysis part two: the First Amendment. Microsoft’s First Amendment claim depends on a number of inter-related claims. I will focus on two aspects of their argument: first, that the statute is overbroad because it authorizes the issuance of prolonged and potentially indefinite secrecy orders; and second, that the standard for issuing these orders — “reason to believe” that, among other things, delay would “seriously jeopardiz[e] an investigation or unduly delay[] a trial” — is also overbroad.
I am skeptical that an overbreadth claim will succeed. (In order for a court to invalidate the statute based on its overbreadth, it would need to find the statute’s application unconstitutional in substantial part when judged in relation to its legitimate sweep.) I do, however, agree that a significant number of the orders issued (namely the 1,755 “secrecy orders” of indefinite duration) violate the First Amendment in their application. Some portion of the additional 824 time-limited orders may violate the First Amendment as well.
More specifically, Microsoft is correct that an indefinite order of secrecy, without an assessment of its continued necessity, is an invalid restriction on speech. By contrast, a time-limited order — even a prolonged one — will not necessarily violate the First Amendment. It is both appropriate — and consistent with the First Amendment — to preclude Microsoft from notifying its customers for the period of time that the government has obtained a valid delayed notification order. After all, the delayed notification order would be of little use to the government if Microsoft could go ahead and tell the customer about the search or seizure anyway. The key, of course, is that the delayed notification order be valid (more on that below).
The additional problem here is that even the time-limited secrecy orders are not necessarily keyed to delayed notification orders. Rather, they appear to be issued in conjunction with no-notice warrants as well. Depending on how prolonged these prolonged secrecy orders are (and Microsoft does not say), some of these time-limited secrecy might constitute an illegitimate restraint speech as well.
This then brings us to the other key piece of Microsoft’s claim: that the grounds for the secrecy orders (which is also the standard for delayed notification by the government) are overbroad. I am not convinced. At least in the abstract, a “reason to believe” that notification will “seriously jeopardize an investigation” seems a valid basis for delaying notice. I would need to know a lot more about the specific ways that this standard is being applied before reaching a conclusion as to its legitimacy. Notably, Microsoft says that it has separately challenged the secrecy orders in specific cases. These case-specific challenges may very well present valid claims and should be pursued. But the facial claim, at least to the extent that it depends on the statutory standard, does not persuade.
Fourth, the (potential) good news. Yesterday, the House Judiciary Committee approved 28-0, the latest version of the Email Privacy Act, which, among other things, eliminates the key problem raised by this lawsuit. Specifically, it ensures that any such secrecy orders are time limited — up to 180 days at a time — and based on a court-approved finding of “adverse result” if notification were provided. In other words, no more indefinite secrecy orders once this bill becomes law. (The bill does, however, provide for the continued issuance of no-notice warrants, which means that unless the provider decides to tell its customer about the search, the target will likely never know.) By all accounts, the full House of Representatives intends to bring the bill to the floor in short order, and it is expected to pass with overwhelming support.
The key now is the Senate, where equivalent legislation also has broad bipartisan support. Microsoft’s litigation should provide one more argument in favor of quick consideration — and ultimate enactment — of the much-needed updates to the statutory rules governing law enforcement access to our data.