How Would You Know if the Feds Searched Your E-mail? — ECPA’s Missing Notice Requirement

EPIC recently filed comments on proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, which would authorize judges to issue “remote access” search warrants in certain cases. As EPIC outlined, the surreptitious computer searches conducted under these remote access warrants would run afoul of an important Fourth Amendment protection — the requirement of prior notice. But the issue of delayed or non-existent notice is not only present with remote access searches; it is an issue with all electronic search authorities and especially with searches conducted under the Stored Communications Act, 18 U.S.C. § 2703.

The U.S. Government issues tens of thousands of e-mail search warrants each year, and yet users are rarely given notice when their accounts have been searched. Some providers have been ordered not to notify their subscribers, but the Electronic Communications Privacy Act gag order provisions are quite narrow. The recent release of warrants issued to Google for e-mails of Wikileaks staff members and the battle over the Lavabit warrant raise significant questions about the legality of the Government’s gag order process. Under ECPA, users should be notified when a search warrant is issued to obtain the contents of their e-mail accounts and in many cases the government should not be able to prohibit a service provider from notifying their customers.

More recently, Google sent a letter to several Wikileaks staffers, notifying them that their accounts were subject to search warrants and related surveillance orders in the U.S. District Court for the Eastern District of Virginia. According to reports, Google fought the gag orders in these investigations for several years until the warrants were successfully unsealed in May 2014. However, the documents released by Google do not explain the basis for the gag order or the specific authority under which these warrants were granted

In another recent case in the Eastern District of Virginia, the court unsealed warrants and related orders issued to Lavabit after the FBI demanded that the e-mail provider turn over their crypto keys (a Lavabit e-mail account was famously used by Edward Snowden to contact members of the media). The search warrant in that case was issued along with an order under 18 U.S.C. § 2705(b) not to notify any person “of the existence of the attached search warrant.” But the Electronic Communications Privacy Act does not clearly authorize gag orders (or even require notice) for e-mail search warrants.

Background — Notice of Searches Under the Stored Communications Act

The Stored Communications Act (SCA), part of the Electronic Communications Privacy Act of 1986, prohibits access to stored electronic communications and provides law enforcement agents with the authority to compel disclosure of stored communications in certain limited circumstances. Specifically, under 18 U.S.C. § 2703 a “government entity” may require a provider to disclose the contents of a “wire or electronic communication” that is “in electronic storage” under the following circumstances: (1) for a communication that has been in electronic storage for less than 180 days, pursuant to a warrant issued under the Federal Rules of Criminal Procedure (Rule 41) or similar state rules, or (2) for a communication that has been in electronic storage for more than 180 days either (a) pursuant to a warrant without required notice, or (b) pursuant to an administrative subpoena or court order with prior notice to the subscriber. 18 U.S.C. §§ 2703(a)-(b).

The SCA also specifies that a government entity “acting under section 2703(b)” may request an order delaying the notification required under 2703(b) “for a period not to exceed ninety days” if there is “reason to believe that notification” would lead to an “adverse result” as defined in 2705(a)(2). Under section 2705(b), the government can enforce these notice limitations by seeking an order “commanding a provider” for “such period as the court deems appropriate, not to notify any other person” of the existence of the warrant. 18 U.S.C. § 2705(b). However, this gag order only applies to disclosures under 2703(b) — governing warrants, orders, and subpoenas for communications stored for more than 180 days. So what happens when the government obtains a warrant for “fresh” e-mails that have been stored for less than 180 days?

What Notice is Required? — In re United States

In July of 2008, the United States applied for two search warrants under section 2703(a) for Google subscriber e-mails. See In re U.S., 685 F. Supp. 2d 1210, 1214 (D. Or. 2009). The Government initially requested that notice to the subscribers be delayed under section 2703(b), but later changed its position and argued that no notice was required under 2703(a) and Rule 41 of the Federal Rules of Criminal Procedure. The magistrate judge found that Rule 41 required the government to provide notice to the subscriber upon execution of the warrant (that is the typical rule for search warrants).

But the Government appealed the magistrate judge’s decision to the U.S. District Court for the District of Oregon. In a rare published opinion on search warrant procedures, the court found that the plain language of the SCA was ambiguous as to whether Rule 41 “notice” to the subscriber was required under section 2703(a). The court found that both Rule 41 and Fourth Amendment notice requirements would be satisfied by leaving a copy of the warrant with the service provider. But the court failed to consider whether a valid gag order could be issued to prevent the service provider from notifying its subscriber of the warrant.

In many cases where the Government applies for an e-mail search warrant, as it did in the Lavabit and Wikileaks cases, it will also apply for a gag order under 18 U.S.C. § 2705(b). But the statute makes clear that the gag order provision only applies when (1) the government is “not required to notify the subscriber or customer under section 2703(b)(1)” or (2) where “it may delay such notice pursuant to [section 2705(a)].” What happens when the Government obtains a search warrant for more “recent” e-mails under section 2703(a)? According to the statute, the gag order would not apply and the provider would therefore not be prohibited from notifying their subscriber of the warrant. Yet that did not happen in the Wikileaks or Lavabit cases, so what is going on here?

Where Are All the E-mail Search Warrant Notifications?

My theory is that magistrate judges do not adequately differentiate between search warrants issued for “newer” and “older” e-mails as defined in the SCA (the “180-day rule”). I assume that most e-mail warrants, like those issued in the Lavabit and Wikileaks cases, are blanket requests for “all communications” that do not differentiate between messages stored for more than 180 days and those stored for 180 days or less. We can see from the history of In re U.S. that the Government itself is not always respectful of the distinction either. The problem is that the SCA warrant procedures have not been subject to extensive judicial review. There are fewer than 450 decisions in federal and state courts over the last 30 years that cite 18 U.S.C. 2703. And the only way this issue would come up is if a provider either (1) challenges an unlawful gag order, or (2) challenges a contempt order based on the violation of an unlawful gag order.

Another related problem is the growth in the “shadow docket” handled by federal magistrate judges. As Magistrate Judge Stephen Wm. Smith described in his article, Gagged, Sealed & Delivered: Reforming ECPA’s Secret Docket, there is an utter lack of transparency in the judicial process surrounding SCA orders. A 2009 Report by the Federal Judicial Center found that an astonishing number of cases are filed under seal and many of them remain hidden indefinitely. The Report revealed that as of 2008 more than 18,000 warrant-type applications filed in 2006 were still under seal. There were only 66,458 criminal cases filed in 2006.

So how many search warrants are being issued for stored e-mail? According to Google’s transparency report, there were 3,187 search warrants issued by the U.S. in the first six months of 2014 alone. According to the Yahoo! transparency report, content was disclosed in response to 1,396 U.S. government data requests in the first six months of 2014. Microsoft reports that they disclosed content in response to roughly 690 U.S. requests in the first six months of 2014. So tens of thousands of e-mail accounts are subject to U.S. search warrants each year, yet we rarely hear about users being notified. The question is, are courts issuing unlawful gag orders or are providers failing to notify their customers after these warrants are served?


For more information visit Defend Privacy. Support EPIC.