On October 24, the Justice Department announced new binding guidance designed to limit the routine use of non-disclosure orders that are used to prevent tech companies from notifying their customers about legal process issued under the Stored Communications Act, like search warrants, that they receive for information in customer accounts.
The new DOJ guidance requires that prosecutors tailor their requests for gag orders to the facts of each case, with the hope of ensuring that the orders are both justified and time limited. Importantly, such orders must now be limited to a duration of less than a year, unless there are “exceptional circumstances.”
This new DOJ guidance comes after a suit brought by Microsoft arguing that the Electronic Communications Privacy Act (ECPA), the statute governing the disclosure of communications data by tech companies to third parties, is unconstitutional under the Fourth Amendment because it does not contain a provision for notice to customers or subscribers, and that non-disclosure orders violated tech companies’ First Amendment rights to tell their customers about demands for their clients’ data.
Despite this change in DOJ policy, Congress should still act to codify this guidance into the Electronic Communications Privacy Act (ECPA). This is because not all legal process tech companies receive comes from the Justice Department. Often overlooked is the fact that tech companies also receive legal process and their attendant gag orders from state and local authorities not bound by the new DOJ guidance, though some may adopt the new guidance in order to comport with these “best practices.”
Most of the large tech companies do not report the percentage of requests that they receive from state and local agencies as opposed to federal agencies on their transparency reports. However, the Twitter transparency report indicates that the volume of requests from state and local agencies is not insignificant — 35% of requests originating from California in the first half of this year came from state and local authorities. Simultaneously, 29% of requests originating from New York in the first half this year came from state and local authorities.
ECPA therefore needs to be updated to restrict the use of gag orders outside of the Justice Department. Some state and local jurisdictions have been ahead of the curve in restricting the use of these gag orders. On Jan. 1, 2016, the California Electronic Communications Privacy Act (CalECPA) went into effect and contains a provision limiting non-disclosure orders to ninety days, with the possibility of extensions. As a result, state and local authorities in California are more limited in their use of gag orders to tech companies than are federal authorities.
However, there are also jurisdictions, like Minnesota, that lag significantly behind the standards set forth by the DOJ guidance. In Minnesota, county prosecutors and attorneys in the office of the attorney general may issue administrative subpoenas for records from tech companies pursuant to statutes that automatically (and indefinitely) gag the recipients of such subpoenas unless “disclosure is necessary to find and preserve the records” or “pursuant to court order.” Moreover, Minnesota authorities can still seek indefinite gag orders when they seek a search warrant under ECPA because they are not bound by the DOJ guidance.
Of course, when using administrative subpoenas, Minnesota authorities must still comply with ECPA, so they are not able to obtain anything other than subscriber information from tech companies with this legal process. They cannot obtain content information, such as emails, with these subpoenas. As a result, some might argue that automatically gagging the recipients of Minnesota administrative subpoenas is fine when the intrusion into a customer’s privacy is relatively slight. Additionally, because administrative subpoenas are issued without judicial review, creating a requirement that law enforcement seek a judicial order each time they need to require that a tech company not disclose the receipt of a subpoena is particularly burdensome. This burden is compounded by the fact that subpoenas are generally used in the earliest stages of law enforcement investigations, when the facts are still being developed.
That being said, the constitutional speech and privacy concerns raised by Microsoft in its suit also apply when tech companies are gagged by process received from state and local authorities. In its filings, Microsoft highlighted the fact that “in an 18-month period, 2,576 of the legal demands that we received from the U.S. government included an obligation of secrecy, and 68% of these appeared to be indefinite demands for secrecy.” That is, 68% of the gag orders Microsoft received with legal process requesting data in customer accounts did not have an expiration date. While we don’t know how many of these came from state and local authorities, the Twitter data cited above shows that a substantial proportion likely came from these sources.
Following the new DOJ guidance, Microsoft has dropped its suit. However, the tech giant still wants Congress to legislate the new DOJ guidance into ECPA, and has called for the Senate to move forward with the ECPA Modernization Act of 2017, which contains provisions curbing the use of gag orders and also seeks to update ECPA, a 1986 law, in response to modern privacy and law enforcement concerns.
Congress needs to make these changes. Congressional action will ensure consistency so that a person’s ability to receive notice when their data is seized is not contingent on which law enforcement agency is investigating them.
Image: Mark Wilson/Getty