ecpa – Techdirt (original) (raw)

California Court: Passwords Are Communications, Protected By The Stored Communications Act

from the only-so-far-you-can-take-a-subpoena dept

The Stored Communications Act — enacted in 1986 — is not only outdated, it’s also pretty weird. An amendment to the ECPA (Electronic Communications Privacy Act), the SCA added and subtracted privacy from communications.

It’s the subtractions that are bothersome. Law enforcement wasn’t too happy a lot of electronic communications were now subject to warrant requirements. They much preferred the abundant use/misuse of subpoenas to force third-parties into handing over stuff they didn’t have the probable cause to demand directly from criminal suspects.

Private parties — especially those engaged in civil litigation — also preferred to see fewer communications protected by the ECPA. So, this law — which declared every unopened email more than 180 days old free game — was welcomed by plenty of people who didn’t have the general public’s best interests in mind.

The government tends to make the most use of the ECPA and SCA’s privacy protection limitations, using the law and legal interpretations to access communications most people logically assumed the government would need warrants to obtain.

But the SCA also factors into civil litigation. In some cases, the arguments revolve around who exactly is protected by the law when it comes to unexpected intrusion by private parties. In this case — one highlighted by FourthAmendment.com (even as the site owner notes it’s not really a Fourth Amendment case) — it involves international litigation involving US service providers. The case directly deals with the Stored Communications Act and what it does or does not protect.

This lawsuit was brought by Path, an Arizona corporation, and its subsidiary, Tempest. Central to the litigation is Canadian citizen Curtis Gervais, who apparently was hired as an independent contractor by Tempest, which promoted him to the position of CEO in February 2022. A few months later, Gervais allegedly hacked into a competitor’s (Game Server Kings [“GSK”]) computers, leading to Tempest demoting (lol) Gervais to COO (Chief Operating Officer).

This demotion apparently didn’t sit well with Gervais, who allegedly began sharing confidential Tempest information with GSK, utilizing communications platform Discord to hand over this information to GSK employees.

So, it’s three American companies and one Canadian individual wrapped up in a dispute over ex parte demands to disclose information to the plaintiffs (Path/Tempest). Discord challenged the subpoenas, which asked for — among other things — any passwords used by Gervais to log into its services.

That’s where it gets interesting. Very few courts have considered what’s explicitly covered by the SCA and/or what can be obtained with subpoenas issued under this authority.

As is implied by both laws in play here (Electronic Communications Protection Act, Stored Communications Act), the protections (or lack thereof) apply to communications. Path argued that its subpoenas did not exceed the grasp of these laws, despite demanding Discord hand over Gervais’ passwords. According to the plaintiffs, passwords aren’t communications.

But that’s a very reductive view of passwords, something Discord pointed out in its challenge of the subpoenas:

Applicants argue passwords are not afforded protection under the SCA because passwords should not be considered “content.” Discord argues passwords are implicitly included within the SCA’s prohibitions because passwords implicate communications. In other words, Discord argues that passwords are “content “ under the SCA because they are “information concerning the substance, purport, or meaning” of a communication.

The court [PDF] says Discord is correct. But only after a lot of discussion because, as the court notes, this is an issue of “first impression.” It has never been asked to make this determination prior to this unique set of circumstances. But, despite the lack of precedent, the court still delivers a ruling that sets a baseline for future cases involving SCA subpoenas.

It begins by saying that even if the language of the SCA doesn’t specifically include passwords in its definition of “content,” it’s clear Congress meant to add protections to electronic communications with this amendment, rather than lower barriers for access.

The legislative history agrees with a broad interpretation of “content.” Congress explained that the purpose of enacting the SCA was to protect individuals on the shortcomings of the Fourth Amendment. Specifically, Congress enacted the SCA due to the “tremendous advances in telecommunications and computer technologies” with the “comparable technological advances in surveillance devices and techniques.” The SCA was further meant to help “Americans [who] have lost the ability to lock away a great deal of personal and business information.”

With this analysis of the scope of the term “content” under the SCA in mind, the Court now turns to determine if passwords are afforded protection under the SCA under that understanding of the definition of the term “content.” Passwords are undoubtedly a form of “information.” And passwords broadly “relate to” (or are “concerning”) the “substance, purport, or meaning of [a] communication” even if passwords are not themselves the content of a communication. Passwords further relate to a person’s intended message to another; while a password is not the content of the intended message, a password controls a user’s access to the content or services that require the user to prove their identity. As a matter of technological access to an electronic message, a password thus “relates to” the intended message because without a password, the author cannot access their account to draft and send the message (and the user cannot access their account to receive and read the message).

When a person uses a password to access their account to draft and send a message, that author inherently communicates to the recipient at least one piece of information that is essential to complete the communication process: namely, that the author has completed the process of authentication. The password is information or knowledge which is intended to convey a person’s claim of identity not just to the messaging system but also implicitly to the recipient. As such, within the context of electronic communication systems, passwords are a critical element because they convey an “essential part” of the communication with respect to access and security protocols.

The dispute at issue here demonstrates the inherency of communicating about passwords when using a messaging platform such as Discord: when the user of the “Archetype” sent messages demanding ransom for the stolen source code, those messages conveyed to the recipients that the author is or was an authentic or authorized user of the “Archetype” account who used and had access to the password for that account. That password for that account thus is information concerning that communication, even if the password is not itself written out in the content directly.

In addition to all of that, there’s the undeniable fact that if you’re able to obtain login info (including passwords) with a subpoena, it doesn’t matter if courts limit the reach of demands for communications. If you have the keys to the accounts, you have full access to any stored communications, whether or not this access has been explicitly approved by a court.

With this password in hand, a litigant (or their ediscovery consultants) would have unfettered access to all communications within the account holder’s electronic storage, without regard to relevance, privilege, or other appropriate bounds of permissible discovery. In other words, litigants could circumvent the very purpose of the SCA by simply requesting that a service provider disclose the password for a user account, ultimately vitiating the protections of the SCA.

No court would allow the government to claim this is acceptable under the SCA and/or the Constitution. And no court should allow it just because it’s litigation involving only private parties. This particular demand cannot be honored without violating the law. And the companies behind the subpoenas know this because they obviously have zero interest in obtaining nothing more than Gervais’ login info.

The only conceivable use for the passwords here is for Applicants to access the requested accounts (such as “Archetype”) and view the contents of all electronically stored communications in those requested accounts.

That’s clearly the litigants’ intent. And it doesn’t mesh with the legislative intent, which was to create a few new protections for then-newfangled electronic communications. This particular demand is rejected. The subpoenas are still alive, but they’re no longer intact. If the suing entities want access to the defendant’s communications, they’ll have to do it the old-fashioned way: by making discovery requests that remain on the right side of the law.

Filed Under: california, communications, curtis gervais, ecpa, passwords, sca, stored communications act
Companies: discord, path, tempest

Bizarre Magistrate Judge Ruling Says That If Facebook Deletes An Account, It No Longer Needs To Keep Details Private

from the that-doesn't-make-any-sense dept

There have been a bunch of slightly wacky court rulings of late, and this recent one from magistrate judge Zia Faruqui definitely is up there on the list of rulings that makes you scratch your head. The case involves the Republic of Gambia seeking information on Facebook accounts that were accused of contributing to ethnic genocide of the Rohingya in Myanmar. This situation was — quite obviously — horrible, and it tends to be the go-to story for anyone who wants to show that Facebook is evil (though I’m often confused about how people often seem more focused on blaming Facebook for the situation than the Myanmar government which carried out the genocide…). Either way, the Republic of Gambia is seeking information from Facebook regarding the accounts that played a role in the genocide, as part of its case at the International Court of Justice.

Facebook, which (way too late in the process) did shut down a bunch of accounts in Myanmar, resisted demands from Gambia to hand over information on those accounts noting, correctly, that the Stored Communications Act likely forbids it from handing over such private information. The SCA is actually pretty important in protecting the privacy of email and messages, and is one of the rare US laws on the books that is actually (for the most part) privacy protecting. That’s not to say it doesn’t have its own issues, but the SCA has been useful in the past in protecting privacy.

The ruling here more or less upends interpretations of the SCA by saying once an account is deleted, it’s no longer covered by the SCA. That’s… worrisome. The full ruling is worth a read, as you’ll know you’ll be in for something of a journey when it starts out:

I come to praise Facebook, not to bury it.

Not quite what you expect from a judicial order. The order lays out the unfortunately gory details of the genocide in Myanmar, as well as Facebook’s role in enabling the Myanmar government to push out propaganda and rally support for its ethnic cleansing. But the real question is how does all of this impact the SCA. As the judge notes, since the SCA was written in 1986 it certainly didn’t predict today’s modern social media, or the questions related to content moderation, so this is a new issue for the court to decide. But… still. The court decides that because an account is disabled… that means that the communications are no longer “stored.” Because [reasons].

The Problem Of Content Moderation

At the time of enactment, Congress viewed ECS and RCS providers as mail/package delivery services. See Cong. Rsch. Serv., R46662, Social Media: Misinformation and Content Moderation Issues for Congress (2021), https://crsreports.congress.gov/product/pdf/R/R46662\. This view failed to consider content moderation; mail/package delivery services have neither the ability nor the responsibility to search the contents of every package. Yet after disinformation on social media has fed a series of catastrophic harms, major providers have responded by taking on the de facto responsibility of content moderation. See id. ?The question of how social media platforms can respect the freedom of expression rights of users while also protecting [users] from harm is one of the most pressing challenges of our time.? …

This Court is the first to consider the question of what happens after a provider acts on its content moderation responsibility. Is content deleted from the platform but retained by the provider in ?backup storage?? It is not.

That obviously seems like a stretch to me. If the company still retains the information then it is clearly in storage. Otherwise, you’ve just created a massive loophole by saying that any platform can expose the private communications of someone if they first disable their account.

The court’s reasoning, though gets at the heart of the language of the SCA and how it protects both “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” or “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” It says the first bit can’t apply because these communications had reached their “final destination” and were no longer temporary. And it can’t be “backup” since the original content had been deleted, therefore there couldn’t be any “backup.”

Congress?s conception of ??backup? necessarily presupposes the existence of another copy to which this [backup record] would serve as a substitute or support.? Id. Without an original, there is nothing to back up. Indeed ?the lifespan of a backup is necessarily tied to that of the underlying message. Where the underlying message has expired . . . , any copy is no longer performing any backup function. An [ECS] that kept permanent copies of [deleted] messages could not fairly be described as ?backing up? those messages.?

But… I think that’s just wrong. Facebook retaining this data (but blocking the users from accessing it themselves) is clearly a “backup.” It’s backup in case there is a reason why, at some future date, the content does need to be restored. Under the judge’s own interpretation, if you backup your hard drive, but then the drive crashes, your backup is no longer your backup, because there’s no original. But… that’s completely nonsensical.

The judge relies on (not surprisingly) a case in which the DOJ twisted and stretched the limits of the SCA to get access to private communications:

Nearly all ?backup storage? litigation relates to delivered, undeleted content. That case law informs and supports the Court?s decision here. ?Although there is no binding circuit precedent, it appears that a clear majority of courts have held that emails opened by the intended recipient (but kept on a web-based server like Gmail) do not meet the [backup protection] definition of ?electronic storage.?? Sartori v. Schrodt, 424 F. Supp. 3d 1121, 1132 (N.D. Fla. 2019) (collecting cases). The Department of Justice adopted this view, finding that backup protection ?does not include post-transmission storage of communications.? U.S. Dep?t of Just., Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, 123 (2009), https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf. The Gambia argues for following the majority view?s limited definition of backup storage. See Sartori, 424 F. Supp. 3d at 1132; ECF No. 16 (Pet?r?s Resp. to Surreply) at 5?6. If undeleted content retained by the user is not in backup storage, it would defy logic for deleted content to which the user has no access to be in backup storage.

As for the argument (which makes sense to me) that Facebook made that the entire reason for retaining the account shows that it’s backup, the judge just doesn’t buy it.

Facebook argues that because the provider-deleted content remains on Facebook servers in proximity to where active content on the platform is stored, both sets of content should be protected as backup storage. See Conf. Tr. at 76. However, the question is not where the records are stored but why they are stored. See Theofel, 359 F.3d at 1070. Facebook claims it kept the instant records as part of an autopsy of its role in the Rohingya genocide. See Conf. Tr. at 80?81. While admirable, that is storage for self-reflection, not for backup.

The judge also brushes aside the idea that there are serious privacy concerns with this result, mainly because the judge doesn’t believe Facebook cares about privacy. That, alone, is kind of a weird way to rule on this issue.

Finally, Facebook advances a policy argument, opining that this Court?s holding will ?have sweeping privacy implications?every time a service provider deactivates a user?s account for any reason, the contents of the user?s communications would become available for disclosure to anyone, including the U.S. government.?…. Facebook taking up the mantle of privacy rights is rich with irony. News sites have entire sections dedicated to Facebook?s sordid history of privacy scandals.

So… because Facebook doesn’t have a great history regarding the protection of privacy… we can make it easier for Facebook to expose private communications? What? And even if it’s true that Facebook has made problematic decisions in the past regarding privacy, that’s wholly separate from the question of whether or not it has a legal obligation to protect the privacy of messages now.

Furthermore, the judge insists that even if there are privacy concerns, they are “minimal”:

The privacy implications here are minimal given the narrow category of requested content. Content urging the murder of the Rohingya still permeates social media. See Stecklow, supra (documenting ?more than 1,000 examples . . . of posts, comments, images and videos attacking the Rohingya or other Myanmar Muslims that were on Facebook? even after Facebook apologized for its services being ?used to amplify hate or exacerbate harm against the Rohingya?). Such content, however vile, is protected by the SCA while it remains on the platform. The parade of horribles is limited to a single float: the loss of privacy protections for de-platformed content. And even that could be mitigated by users joining sites that do not de-platform content.

Yes. In this case. But this could set a precedent for accessing a ton of other private communications as well, and that’s what’s worrying. It’s absolutely bizarre and distressing that the judge doesn’t bother to think through the implications of this ruling beyond just this one case.

Prof. Orin Kerr, one of the foremost experts on ECPA and the SCA, notes that this is both an “astonishing interpretation” and “stunning.”

Also, it's a stunning interpretation in its consequences. Under the op, the most fundamental rule of Internet privacy — that your e-mails and messages are protected from disclosure — is largely meaningless. A provider can just delete your account and hand out your messages.

— Orin Kerr (@OrinKerr) September 24, 2021

The entire ruling is concerning — and feels like yet another situation where someone’s general disdain for Facebook and its policies (a totally reasonable position to take!) colored the analysis of the law. And the end result is a lot more dangerous for everyone.

Filed Under: backup, deleted profiles, ecpa, gambia, myanmar, privacy, sca, stored communications act, zia faruqui
Companies: facebook

Appeals Court: Stored Communications Act Privacy Protections Cover Opened And Read Emails

from the shouldn't-have-needed-to-be-said,-but-at-least-it-was-said-forcefully dept

The Fourth Circuit Court of Appeals has handed down an important decision [PDF] bolstering privacy protections for stored email. As we’re painfully aware, unopened email older than 180 days is granted zero privacy protections, treated like unopened snail mail left at the post office. Opened email, on the other hand, would seem to carry an expectation of privacy, but a district court ruling came to exactly the opposite conclusion, prompting this appeal.

A lawsuit involving a pair of affairs and one party’s decision to read someone else’s emails surfaced a question not often posed without a government party involved. Here’s the court’s summary of the convoluted backstory that led to accusations of federal law violations:

From August 2011 to February 2015, [Patrick] Hately had an intimate relationship with Nicole Torrenzano (“Nicole”), with whom Hately has two children. During their relationship, Hately and Nicole shared login and password information for their email accounts—including Hately’s Blue Ridge College email account. But when, about March 2015, Nicole informed Hately that she also was involved in an intimate relationship with [Dr. David] Watts, who was her co-worker and married to Audrey Hallinan Watts (“Audrey”), Hately and Nicole separated.

Pertinent to this action, Hately did not change the password that he shared with Nicole for his Blue Ridge College email account. Watts and Nicole continued their personal relationship, and during the fall of 2015, Watts and Audrey initiated divorce proceedings. In an effort to help Watts in his divorce proceedings, Nicole told Watts that Hately and Audrey were having an affair. Nicole said she knew of emails between Hately and Audrey that Watts could obtain by using the password that she had to Hately’s Blue Ridge College email account.

This certainly doesn’t make what Watts did OK, but he seemed to feel it at least made his actions legal.

Watts stated that he used the password Nicole gave him to browse through Hately’s emails but contended that he “did not open or view any email that was unopened, marked as unread, previously deleted, or in the [student email account]’s ‘trash’ folder.”

This bizarre defense of invading someone else’s privacy convinced the lower court that Watts’ actions were legally in the clear, even if they were clearly morally wrong. It dismissed his Stored Communications Act claims against Watts, stating that the SCA did not protect opened email. According to the lower court, the only email protected by the SCA is email still in transit. Once it’s been downloaded and opened, it’s apparently cool for other people to access and read, even if it’s not their email account.

With this bizarre take, the lower court basically stated spam email routed directly to the trash has more privacy protections than direct communications between living, breathing persons. The appeals court points out this interpretation is off base by a long distance. A lengthy discussion of the SCA and Congressional intent — along with a revival of Hately’s state law claims — takes up a great deal of the opinion’s 55 pages.

Dr. Watts — the email interloper — argued the SCA did not protect these communications because the Blue Ridge College email server was not an “electronic communication service,” but rather a “remote computing device.” This argument hinged on the email system’s construction, which used Google’s services for transmitting and storing email. But the university also stored a copy of all Blue Ridge email on its own servers as a backup for users. This crucial fact restores the expectation of privacy, according to the appeals court, which points out Blue Ridge’s backup server actually makes it both.

The district court’s reasoning rests on the premise that, for purposes of the emails in question, Blue Ridge College’s email service could not simultaneously function as both an electronic communication service and a remote computing service. But nothing in the plain language of the definitions of electronic communication service and remote computing service precludes an entity from simultaneously functioning as both.

There is no logical or technological obstacle to an entity “provid[ing] to users thereof the ability to send or receive wire or electronic communications”—i.e., functioning as an electronic communication service—while, and as part of the same service, “provi[ding] the public [with] computer storage or processing services by means of an electronic communications system”—i.e., functioning as a remote computing service. And the relevant legislative history expressly contemplates as much, stating that “remote computing services may also provide electronic communication services.” S. Rep. No. 99-541, at 14; see also H.R. Rep. No. 99-647, at 64 (“[T]o the extent that a remote computing service is provided through an Electronic Communication Service, then such service is also protected [under Section 2701(a)].”).

As the appeals court notes, it makes no sense to suggest email users consider opened email worthy of less protection than others they’ve sent directly to the trash without reading. Servers like the one used by Blue Ridge to back up the Google-based email system are the end result of users’ desires. Users want to store emails for later reading or use. And Congress — even with its horribly-outdated Stored Communications Act — recognized the privacy inherent to these personal communications. This covers delivered and opened email, no matter where the original or its backup resides.

To read the law otherwise is to upend the personal nature of email communications, allowing almost anyone to access anyone else’s email without permission and face zero consequences (at least under federal law) for doing so.

The district court’s construction of Subsection (B)—that previously delivered and opened emails stored by a web-based email service are not in “electronic storage” and therefore not actionable under Section 2701(a)(1)—would materially undermine these objectives. Potential users of web-based-email services—like Blue Ridge College’s email service—would be deterred from using such services, knowing that unauthorized individuals and entities could access many, if not most, of the users’ most sensitive emails without running afoul of federal law. Likewise, without the prospect of liability under federal law, unauthorized entities will face minimal adverse consequences for accessing, and using for their own benefit, communications to which they are not a party. The legislative history establishes that Congress did not intend such a result.

The district court’s interpretation of Subsection (B)—which would protect only unread emails stored in by web-based email service—also leads to an arbitrary and untenable “gap” in the legal protection of electronic communications.

Back the case goes to the lower court, reversed and remanded with instructions to reach a less illogical conclusion. And in doing so, the appeals court sets an important precedent that clarifies what the SCA actually covers.

Filed Under: 4th circuit, ecpa, emails, privacy, stored communications act

Democratic National Committee's Lawsuit Against Russians, Wikileaks And Various Trump Associates Full Of Legally Nutty Arguments

from the slow-down-there-dnc dept

This morning I saw a lot of excitement and happiness from folks who greatly dislike President Trump over the fact that the Democratic National Committee had filed a giant lawsuit against Russia, the GRU, Guccifier 2, Wikileaks, Julian Assange, the Trump campaign, Donald Trump Jr., Jared Kushner, Paul Manafort, Roger Stone and a few other names you might recognize if you’ve followed the whole Trump / Russia soap opera over the past year and a half. My first reaction was that this was unlikely to be the kind of thing we’d cover on Techdirt, because it seemed like a typical political thing. But, then I looked at the actual complaint and it’s basically a laundry list of the laws that we regularly talk about (especially about how they’re abused in litigation). Seriously, look at the complaint. There’s a CFAA claim, an SCA claim, a DMCA claim, a “Trade Secrets Act” claim… and everyone’s favorite: a RICO claim.

Most of the time when we see these laws used, they’re indications of pretty weak lawsuits, and going through this one, that definitely seems to be the case here. Indeed, some of the claims made by the DNC here are so outrageous that they would effectively make some fairly basic reporting illegal. One would have hoped that the DNC wouldn’t seek to set a precedent that reporting on leaked documents is against the law — especially given how reliant the DNC now is on leaks being reported on in their effort to bring down the existing president. I’m not going to go through the whole lawsuit, but let’s touch on a few of the more nutty claims here.

The crux of the complaint is that these groups / individuals worked together in a conspiracy to leak DNC emails and documents. And, there’s little doubt at this point that the Russians were behind the hack and leak of the documents, and that Wikileaks published them. Similarly there’s little doubt that the Trump campaign was happy about these things, and that a few Trump-connected people had some contacts with some Russians. Does that add up to a conspiracy? My gut reaction is to always rely on Ken “Popehat” White’s IT’S NOT RICO, DAMMIT line, but I’ll leave that analysis to folks who are more familiar with RICO.

But let’s look at parts we are familiar with, starting with the DMCA claim, since that’s the one that caught my eye first. A DMCA claim? What the hell does copyright have to do with any of this? Well…

Plaintiff’s computer networks and files contained information subject to protection under the copyright laws of the United States, including campaign strategy documents and opposition research that were illegally accessed without authorization by Russia and the GRU.

Access to copyrighted material contained on Plaintiff’s computer networks and email was controlled by technological measures, including measures restricting remote access, firewalls, and measures restricting acess to users with valid credentials and passwords.

In violation of 17 U.S.C. § 1201(a), Russia, the GRU, and GRU Operative #1 circumvented these technological protection measures by stealing credentials from authorized users, condcting a “password dump” to unlawfully obtain passwords to the system controlling access to the DNC’s domain, and installing malware on Plaintiff’s computer systems.

Holy shit. This is the DNC trying to use DMCA 1201 as a mini-CFAA. They’re not supposed to do that. 1201 is the anti-circumvention part of the DMCA and is supposed to be about stopping people from hacking around DRM to free copyright-covered material. Of course, 1201 has been used in all sorts of other ways — like trying to stop the sale of printer cartridges and garage door openers — but this seems like a real stretch. Russia hacking into the DNC had literally nothing to do with copyright or DRM. Squeezing a copyright claim in here is just silly and could set an awful precedent about using 1201 as an alternate CFAA (we’ll get to the CFAA claims in a moment). If this holds, nearly any computer break-in to copy content would also lead to DMCA claims. That’s just silly.

Onto the CFAA part. As we’ve noted over the years, the Computer Fraud and Abuse Act is quite frequently abused. Written in response to the movie War Games to target “hacking,” the law has been used for basically any “this person did something we dislike on a computer” type issues. It’s been dubbed “the law that sticks” because in absence of any other claims that one always sticks because of how broad it is.

At least this case does involve actual hacking. I mean, someone hacked into the DNC’s network, so it actually feels (amazingly) that this may be one case where the CFAA claims are legit. Those claims are just targeting the Russians, who were the only ones who actually hacked the DNC. So, I’m actually fine with those claims. Other than the fact that they’re useless. It’s not like the Russian Federation or the GRU is going to show up in court to defend this. And they’re certainly not going to agree to discovery. I doubt they’ll acknowledge the lawsuit at all, frankly. So… reasonable claims, impossible target.

Then there’s the Stored Communications Act (SCA), which is a part of ECPA, the Electronic Communications Privacy Act, which we’ve written about a ton and it does have lots of its own problems. These claims are also just against Russia, the GRU and Guccifer 2.0, and like the DMCA claims appear to be highly repetitive with the CFAA claims. Instead of just unauthorized access, it’s now unauthorized access… to communications.

It’s then when we get into the trade secrets part where things get… much more problematic. These claims are brought against not just the Russians, but also Wikileaks and Julian Assange. Even if you absolutely hate and / or distrust Assange, these claims are incredibly problematic against Wikileaks.

Defendants Russia, the GRU, GRU Operative #1, WikiLeaks, and Assange disclosed Plaintiff’s trade secrets without consent, on multiple dates, discussed herein, knowing or having reason to know that trade secrets were acquired by improper means.

If that violates the law, then the law is unconstitutional. The press regularly publishes trade secrets that may have been acquired by improper means by others and handed to the press (as is the case with this content being handed to Wikileaks). Saying that merely disclosing the information is a violation of the law raises serious First Amendment issues for the press.

I mean, what’s to stop President Trump from using the very same argument against the press for revealing, say, his tax returns? Or reports about business deals gone bad, or the details of secretive contracts? These could all be considered “trade secrets” and if the press can’t publish them that would be a huge, huge problem.

In a later claim (under DC’s specific trade secrets laws), the claims are extended to all defendants, which again raises serious First Amendment issues. Donald Trump Jr. may be a jerk, but it’s not a violation of trade secrets if someone handed him secret DNC docs and he tweeted them or emailed them around.

There are also claims under Virginia’s version of the CFAA. The claims against the Russians may make sense, but the complaint also makes claims against everyone else by claiming they “knowingly aided, abetted, encouraged, induced, instigated, contributed to and assisted Russia.” Those seem like fairly extreme claims for many of the defendants, and again feel like the DNC very, very broadly interpreting a law to go way beyond what it should cover.

As noted above, there are some potentially legit claims in here around Russia hacking into the DNC’s network (though, again, it’s a useless defendant). But some of these other claims seem like incredible stretches, twisting laws like the DMCA for ridiculous purposes. And the trade secret claims against the non-Russians is highly suspect and almost certainly not a reasonable interpretation of the law under the First Amendment.

Filed Under: cfaa, conspiracy, dmca, dnc, donald trump junior, ecpa, gru, hack, hacking, jared kushner, julian assange, paul manafot, rico, roger stone, russia, sca, trade secrets
Companies: dnc, wikileaks

Dianne Feinstein Wants Twitter To Just Hand Her A Bunch Of Private Communications

from the wtf dept

I’m not sure who Dianne Feinstein thinks she is, but she’s going after Twitter users’ private communications. As part of the ongoing hearings into Russian interference in the election process (specifically marketing efforts by Russian troll armies), Feinstein has asked Twitter [PDF] to hand over a bunch of information.

Most of the demands target Twitter itself: documents related to ad campaigns, investigative work by Twitter to uncover bot accounts, communications between Twitter and Russian-connected entities, etc. Then there’s this demand, which doesn’t ask Twitter to turn over communications from Twitter, but rather users’ private messages.

All content of each Direct Message greater than 180 days old between each Requested Account contained in Attachment A and any of the following accounts:

A. @wikileaks (https://twitter.com/wikileaks, 16589206);

B. @WLTaskForce (https://twitter.com/WLTaskforce, 783041834599780352);

C. @GUCCIFER_2 (https://twitter.com/GUCCIFER\_2, 744912907515854848);

D. @JulianAssange_ (https://twitter.com/JulianAssange, 181199293);

E. @JulianAssange (https://twitter.com/JulianAssange, 388983706): or

F. @granmarga (https://twitter.com/granmarga, 262873196).

15. For each Direct Message identified in response to the preceding requests, documents sufficient to identify the sender. receiver, date, and time each message was sent.

Feinstein’s acting like she can use the ECPA’s “older than 180 days” trick — most commonly applied to emails — to obtain private communications between Twitter users. That’s not really how this works. Law enforcement can demand these with a subpoena, but a non-law enforcement entity can’t. Feinstein isn’t a law enforcement officer. She’s a Senator. There’s no reason for Twitter to comply with this part of the order.

In fact, it may be illegal for Twitter to turn these communications over. The Stored Communications Act forbids service providers from handing out this information to anyone without a warrant. If Feinstein really wants these communications, she’d better turn this into a law enforcement investigation and have someone obtain the proper judicial permission slip.

Feinstein knows this part of the request is a bit off. That’s why she attempts to minimize the multitude of problems in her request with this:

While I recognize that this type of information is not routinely shared with Congress, we have sought to limit the requests to communications only with those entities identified as responsible for distribution of material that was unlawfully obtained through Russian cyberattacks on US computer systems.

This would seem to indicate an actual investigation involving actual law enforcement agencies is a possibility. If so, demands for private communications with these accounts can wait for an actual search warrant. If not, Twitter is well within its rights to refuse her request. This request will sweep up all sorts of communications from accounts not currently under investigation, either by the Senate subcommittee or any US law enforcement agency.

It’s more than just the six accounts listed — even though each of those may have received hundreds of Direct Messages. There’s another list — Exhibit A — that hasn’t been made public. Any perceived violations of privacy laws witnessed here have the chance to grow exponentially should Feinstein somehow coax Twitter into turning over these messages. This is a stupid and dangerous request from a public servant who should know better.

Filed Under: authoritarian, dianne feinstein, ecpa, sca, stored communications act
Companies: twitter

Supreme Court Agrees To Hear Case Involving US Demands For Emails Stored Overseas

from the spending-locally,-thinking-globally dept

The Supreme Court has granted the government’s request for review of Second Circuit Appeals Court’s decision finding Microsoft did not have to turn over communications stored overseas in response to US-issued warrants.

This is a pretty quick turnaround as far as tech issues go. The Supreme Court is finally willing to take a look at the privacy expectation of third party phone records (specifically: historical cell site location info), following years of courtroom discussion… which follow years of Third Party Doctrine expansion.

That being said, a resolving of sorts is needed to clarify the reach of US law enforcement going forward. The Second Circuit twice shut down the DOJ’s requests to extend its reach to offshore servers. Even as the Microsoft case was still being litigated, other courts were coming to contrary decisions about data stored overseas.

The target in these cases was Google. Google’s data-handling processes contributed to the adverse rulings. Unlike Microsoft — which clearly delineated foreign data storage — data and communications handled by Google flow through its servers constantly. Nothing truly resides anywhere, a fact the DOJ pressed in its arguments and the one two judges seized on while denying Google’s warrant challenges.

The Supreme Court’s ruling will be needed to tie these disparate decisions up into a cohesive whole.

Or not. Rule 41 changes that went into effect at the beginning of this year remove a lot of jurisdictional limitations on search warrants. On top of that, the DOJ has been angling for expanded overseas powers, pushing Congress towards amending the Stored Communications Act.

This, of course, is what the Second Circuit Appeals Court told the government to do: take it up with legislators. But if litigation is a slow process, legislation can be just as time-consuming. The DOJ wants permission now and the Supreme Court gives it the best chance of being allowed to grab communications stored outside of the United States using a warrant signed by a magistrate judge anywhere in the US.

In the meantime, the DOJ will continue to pursue amendments to the Stored Communications Act — a law it’s already taken advantage of, thanks to it being outdated almost as soon as it was implemented. Further rewriting of the law in the DOJ’s favor would allow US law enforcement to become the world’s police, serving warrants in the US to gather documents stored around the globe.

While this may seem like a boon to law enforcement, it should be approached with extreme caution. If this becomes law (rather than just a precedential court decision) the US government should expect plenty of reciprocal demands from other countries. This would include countries with far worse human rights records and long lists of criminal acts not recognized in the US (insulting the king, anyone?). The US won’t be able to take a moral or statutory stand against demands for US-stored communications that may be wielded as weapons of censorship or persecution against citizens in foreign countries. Whoever ends up handing down the final answer — the Supreme Court or Congress — should keep these implications in mind.

Filed Under: domestic, ecpa, emails, foreign, sca, scotus, stored communications act, subpoena, supreme court, warrants
Companies: microsoft

DOJ Asks The Supreme Court To Give It Permission To Search Data Centers Anywhere In The World

from the world-is-[potentially]-yours dept

Having been told “no” twice by the Second Circuit Court of Appeals, the DOJ is asking the Supreme Court to overturn the decision finding Microsoft did not need to hand over communications stored in foreign data centers in response to a US warrant.

The Appeals Court told the DOJ that statutory language simply didn’t agree with the premise pushed by the government: that US-issued warrants should allow the law enforcement to dig through “file cabinets” not actually located at the premises (United States) searched. The court noted jurisdictional limitations have always been part of the warrant process (although recent Rule 41 changes somewhat undercut this). That the information sought is digital rather than physical doesn’t change this. The court suggested the DOJ take it up with Congress if it doesn’t like the status quo. The DOJ has proposed legislation but likely feels a Supreme Court decision in its favor would be a swifter resolution.

The DOJ’s 207-page petition [PDF] actually only contains about 30 pages of arguments. The bulk of the petition is made up of previous court decisions and oral argument transcripts covering the DOJ’s losses at the lower level. The Table of Contents gets right to the point, utilizing the section header “The panel’s decision is wrong” to set the tone for its rehashed arguments.

The DOJ quotes the dissenting judges from the Appeals Court’s decision, one of which makes the ever-popular “appeal to 9/11” argument:

Judge Raggi also emphasized the exceptional importance of this case and the “immediate and serious adverse consequences” of the panel’s ruling. “On the panel’s reasoning,” she explained, if the government had been able to show in early September 2001 probable cause to believe that the 9/11 perpetrators “were communicating electronically about an imminent, devastating attack on the United States, and that Microsoft possessed those emails,” a federal court would not have been able to issue a Section 2703 warrant if Microsoft had stored the emails outside the United States, “even though [Microsoft’s] employees would not have had to leave their desks in Redmond, Washington, to retrieve them.”

All well and good, if you like that sort of thing, but the facts of the case are far less dire:

In December 2013, the government applied for a warrant requiring Microsoft to disclose email information for a particular user’s email account. See App., infra, 2a, 8a-10a. The government’s application established probable cause to believe that the account was being used to conduct criminal drug activity.

This is how most arguments for expansions of law enforcement reach and grasp go: talk about how it will be used to stop terrorists; actually use it to hunt down normal criminals.

The petition admits Congress meant for domestic laws to only be applied domestically before arguing certain “applications” of US law should be seen as permissible inversions of Congressional intent. The DOJ argues Microsoft’s United States offices should permit worldwide searches of its data centers. Once again, the government’s arguments that stored communications are no different than paper files in a file cabinet (made when it wants broadly-written electronic storage searches to be seen as no more intrusive than a residence search) works against it. This interpretation of the Stored Communications Act means any service provider anywhere could be made to hand over documents stored overseas as long as they have a US office where a warrant can be served. This would be the case even if the service provider has no US storage locations and nothing more than a US-based “storefront” for convenience.

Microsoft has already responded with a lengthy blog post. It points out the better way forward is not to have the Supreme Court reinterpret a 30-year-old law, but rather to work with US service providers and Congress to build a better law that addresses the world as it is now.

The litigation path DOJ is now trying to extend in parallel to legislative progress seeks to require the Supreme Court to decide how a law written three decades ago applies to today’s global internet. The previous decision was soundly in our favor, and we’re confident our arguments will be persuasive with the Supreme Court. However, we’d prefer to keep working alongside the DOJ and before Congress on enacting new law, as Judge Lynch suggested, that works for everyone rather than arguing about an outdated law. We think the legislative path is better for the country too.

The post also points out cooperation with foreign law enforcement is a much faster process than has been portrayed by the DOJ, which insists it takes “weeks” to see results of these cooperative efforts. Following the Charlie Hebdo attack, Microsoft was able to turn over US-stored communications to French law enforcement in under an hour.

What the DOJ doesn’t seem to understand (or genuinely just doesn’t care about) is a decision granting it the power to seize communications from anywhere in the world would result in foreign governments expecting the same treatment when requesting communications stored in the US.

Should people be governed by the laws of their own country? If the decision in our case were reversed, it would subject every person in the world to every other country’s legal process. The email of a person who lives and works in Dublin would be subject to an American warrant issued by a U.S. court just as an American would be subject to an Irish warrant. Our customers tell us they want to be governed by the laws of their own government, and they deserve the certainty of knowing what laws govern their data.

If the Supreme Court decides to grant the DOJ’s petition, this won’t be argued until the next session, leaving the DOJ plenty of time to work on its legislative proposals. Hopefully, it’s actually working with US service providers on this, rather than thinking it’s the only stakeholder of importance in the legislative process.

Filed Under: data, doj, ecpa, jurisdiction, sca, stored data, subpoenas, supreme court
Companies: microsoft

Another Judge Says The Microsoft Decision Doesn't Matter; Orders Google To Hand Over Overseas Data

from the when-reality-is-complicated,-simply-ignore-it dept

Microsoft may not have to respond to government demands for US persons’ data held overseas, but it looks like everyone else (specifically, Google) will have to keep trawling their foreign data stores for US law enforcement.

The Second Circuit Appeals Court ruled US government warrants don’t apply to overseas data. Courts outside of the Second Circuit are finding this ruling doesn’t apply to Google’s foreign data storage. The most obvious reason for this is other circuits aren’t bound by this decision. The less obvious reason has to do with how Google stores its data.

As Google describes it, communications and data are in constant motion, moving in and out of the country as needed for maximum efficiency. When a warrant arrives, Google gathers everything it finds in its domestic servers but hands back a null response to data currently held overseas. Sometimes what Google hands law enforcement is nothing more than unusable digital fragments. Obviously, the government isn’t happy with this new status quo.

And it is a new status quo, as is pointed out in this ruling [PDF] by a DC magistrate judge [via FourthAmendment.com]. The ruling here aligns itself with one handed down in Pennsylvania earlier this year. In that decision — like in this one — the judge noted Google used to capture everything requested, no matter where it was located. It’s only very recently Google has refused to chase down data (and data fragments) located in servers around the world.

The process was described this way in the Pennsylvania decision:

Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google’s network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.

As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.

Nothing has changed here. And nothing has changed in terms of legal analysis, despite this memorandum order being issued in a DC court. The court finds Google does not effect a seizure of requested data because it simply makes a copy of it. It also points out (and Google concedes) that it does not act as a government agent when it does this, despite the only reason for Google’s copying of the data is to respond to a government warrant. The court notes the Stored Communications Act does carry privacy implications, but only as far as the private entity’s actions — not the government’s demands. The court’s analysis states the SCA provisions only prohibits unlawful access (such as hacking) while regulating companies’ responses to government demands.

The court goes on to say Google’s view of its legal responsibilities is completely untenable. Because of the transitory nature of Google’s data handling, it would never be able to fully comply with demands for records, no matter which country issued the order.

Finally, it must be said that the above Morrison analysis of the operative sections of the SCA has the added benefit of avoiding the bizarre results that application of the Microsoft decision to modern data networks like Google’s would produce. If that decision’s focus on the physical location of the data’s storage were to be applied to service providers using such networks, the records and information the government would receive in response to an SCA warrant may differ significantly depending on the date on which the warrant is served. Indeed, the same warrant served on ten different days may well produce ten different results depending on where on the network the shards of responsive data are located at the moment each warrant is served. Such random results — generated by a computer algorithm — would serve the interests of neither privacy nor international comity.

Compounding the problem, even assuming the service provider could and would identify for law enforcement the location of the foreign-based servers on which the missing data was stored (as Google refused to do here), that knowledge would effectively be useless to the government here. By the time the government could initiate the international legal process necessary to obtain the missing data from wherever it was stored, it is entirely possible that the network would have relocated the data yet again to a server in a different country. Moreover, it is Google’s position that it need not respond overseas to any such international legal requests because it is only at its headquarters in California that its data can be accessed and compiled into a recognizable electronic file. Thus, in Google’s view, the only means available to obtain records and information related to a Google account is by serving an SCA warrant on its LIS team in California.

The magistrate says that’s not going to work — not under the stipulations of the SCA. In fact, it’s just not going to work at all because of Google’s data-handling. It may be primed for efficiency, but does little to help it comply with warrants.

To reach the conclusion advanced by Google here, the Court would need to find that a properly-issued SCA warrant requiring the disclosure to law enforcement in the United States from Google’s headquarters in the United States of digital files accessible only from the United States constitutes an extraterritorial application of the SCA simply because pieces of data that make up those files were stored on a server located outside the United States at the moment in time the warrant was executed. Because such a conclusion runs contrary to the straightforward extraterritorial analysis of the SCA under Morrison detailed above, the Court finds that Google has not shown cause for its failure to produce all the records and information called for in the instant warrant within its possession, custody, or control.

In the end, the court orders Google to ignore the realities of its data flow. It may make things easier for law enforcement, but it has very little to do with keeping the government within its jurisdictional confines.

Google’s LIS representatives in California can access, compile, and disclose to the government those records and information with the push of a button and “without ever leaving their desks in the United States.” Microsoft, 829 F.3d at 229 (Lynch, J., concurring). Because that “entire process takes place domestically,” id., Google will be ordered to comply with the warrant in full, and to disclose to the government all responsive electronic records and infonnation identified in Attachment B to the warrant within its possession, custody or control, wherever those records and information may be electronically stored.

In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched — at least not by the government. Once it’s all packaged up locally, the local boys can access it without fear of a suppression challenge.

Filed Under: 4th amendment, doj, ecpa, international data, privacy, sca, subpoena, warrant
Companies: google, microsoft

MySpace Tries To Play Dead To Avoid Lawsuits

from the hide-and-seek dept

Yes, let’s get this out of the way already, so you don’t need to make this joke in the comments: as a social network, MySpace is considered pretty damn dead already. It lost its cool many, many years ago. And I do still love to point out this 2007 article suggesting that MySpace’s dominant position in the social networking market was almost impossible to crack (that didn’t age well). But that’s not what this post is about. You see, MySpace, still does exist — you can even visit it and double their traffic for the day. Even as the punchline in bad jokes, MySpace exists and (believe it or not) Time Inc. actually owns it, having bought the company, Viant, that owned it previously.

This story, however, is about how, soon after Time took over MySpace, its lawyers literally tried to hide the company from a plaintiff (and the court) by having the company play dead — even though it was very much alive. I’m not exaggerating. Time Inc. appeared to play a bunch of legal shenanigans to pretend that MySpace no longer existed, even as the company kept operating — to the point that Viant’s CEO was publicly hyping MySpace. Hell, months after Time Inc. tried to pretend MySpace was dead, Time’s CEO was talking up how amazing MySpace was in the press.

The background here: years ago, a guy named Stephen Aguiar was arrested and convicted for drug distribution. He’s in prison, serving 25 years. Sometime after his conviction he discovered that some of the evidence against him, that was supplied by MySpace (way back when MySpace was still a big thing), quite likely violated the Stored Communications Act.

Additional background: We’ve written about the Stored Communications Act before. It’s a part of the Electronic Communications Privacy Act (ECPA) that controls what kind of electronic information can be given up without a warrant. As we’ve also discussed for years, ECPA is woefully out of date for a variety of reasons including the fact that it says that all communications stored on a server for more than 180 days should be considered abandoned and no longer need a warrant to access. But communications less than 180 days do require a warrant.

Back to Aguiar. In late 2013 he discovered that back in 2009, the DEA sent an administrative subpoena to MySpace, under the Stored Communications Act, asking for certain content related to his MySpace account. An administrative subpoena is not a warrant. As we’ve described in the past, it’s basically a fishing expedition by law enforcement, in which they send an official looking document asking for information they may not actually have the rights to. MySpace, back in 2009, apparently had lawyers who fell for this and handed over basically all of Aguiar’s account info, despite at least some of it being protected under the SCA and requiring an actual warrant (which would require probable cause and a judge’s review).

Thus, in 2014, he sued MySpace for violating the Stored Communications Act, representing himself (pro se). At this point, MySpace was owned by Viant and it hired some lawyers to defend the case. All well and good. But, within weeks of Time Inc. buying Viant, something sketchy started happening. Without telling anyone, Time claims that it changed the name of its “MySpace LLC” subsidiary to “Legacy Vision LLC.” Then, it “transferred” all of MySpace’s assets to Viant. Four days later, it registered a brand new company… also called MySpace LLC. While this was happening, Time/MySpace basically told no one about this. The people operating MySpace had no idea and nothing changed. Even the lawyers who were representing MySpace in the case knew nothing about it and continued to represent the company for months — only to be told about six months later that the company they were representing stopped existing months earlier.

Prior to this MySpace had moved to dismiss the lawsuit, and was denied. So the case was supposed to move forward and MySpace was supposed to file an answer to the complaint. Except… it didn’t. It didn’t do anything at all. The magistrate judge, Patrick Walsh, demanded that the lawyer representing MySpace, Jane Rheinheimer, show up in court leading to a hearing last December with a fairly incredible transcript. Some excerpts:

RHEINHEIMER: My name is Jane Rheinheimer, I?m former counsel, well, counsel for the former MySpace LLC.

THE COURT: Okay. And who?s the representative from MySpace or Legacy?

RHEINHEIMER: There is none, your honor.

THE COURT: Why not?

RHEINHEIMER: Neither MySpace nor Legacy Vision LLC exists as an operating entity anymore, your honor.

THE COURT: Well that sounds like a lawyer talking, like as an operating an entity. Somebody signed a change in the name change in the spring.

RHEINHEIMER: It?s my understanding, your honor. And- My understanding is that Legacy Vision LLC currently exists only in name with the secretary of state. There is no management; there is no employees; there is no asset; there is no anything; there is no operating entity there, your honor.

Got that? There’s a sneaky game being played here. Effectively, it appears that Time is claiming that the MySpace that was sued became Legacy Vision, but that Legacy Vision shut down and isn’t operating at all. And that this operating MySpace is someone else entirely. The judge was… not impressed, leading to this crazy exchange between the judge and Aguiar (again, representing himself in court, where the judge is helping by explaining what’s going on):

THE COURT: Okay. All right, Mr. Aguiar, what do you want to do?

AGUIAR: I?m kind of out of my area of expertise, your honor. My understanding was that the name changed in March. Weren?t the parties obligated to notify either me or the court?

THE COURT: Of course they were. This is middle school stuff, right?

AGUIAR: Right.

THE COURT: This is how four year olds play hide-and-go seek. When you tell them to go hide and go seek, they cover their eyes, and they think you can?t see them, right?

AGUIAR: Right.

THE COURT: So MySpace changed its name to Legacy and they?re like, ?There?s no more MySpace, Court.? Okay, here?s what I?m going to do. I?m adding Legacy. I?m going to give you a default… and you can do what you want with it. All right?

In other words, the court was making it clear that it wasn’t buying this game. Of course, that same transcript included the court refusing to let MySpace’s former lawyer withdraw from the case, even as she was pointing out that she no longer has a client to pay her, because her “client” claims the company no longer exists:

THE COURT: We?ll be entering the default and you make your motion for default judgment. Ms. Rheinheimer, I understand you?re in a tough spot, but your request to withdraw as counsel is denied, okay? Corporations cannot proceed in the federal court without a lawyer and there?s no good reason for you to be off this case. I think it?s just gamesmanship that?s going on with Legacy and MySpace and Mr. Lee, and I?m not letting you off. We?re going forward. He?s going to file a motion for default judgment and if you don?t want to fight that, don?t fight it. I?ll enter the default judgment, okay? And you can go back?

RHEINHEIMER: Very well, your honor. There is no entity to pay me. I have no way of, I have no way of getting paid. There is noth?

THE COURT: I want to tell you I?ve been in this- as a law clerk, I worked at DOJ at the US attorney?s office and I?ve been a Judge for 15 years. I want to tell you what I understand what?s always been the practice since 1984, when I externed for Judge Layton at the federal district court in Chicago. We?re not here, we?re not bill collectors. The fact that you can?t get paid, the rules don?t provide ?you have to represent your client diligently unless you client is not paying you?. And our local rules don?t require, don?t allow you to get out from under a case because your client isn?t paying you. That?s something you have to- I?m not in the middle of those negotiations. You need to call up Mr. Lee and say, ?Hey Judge Walsh is leaving me on this case. I need to get paid.? And I think you should get paid, okay? I?m on your side there, but you?re not flipping the district court upside down because you?re not getting paid. All right?

Soon after this, a few things happened. First, the “new” MySpace got angry at being added to this case, and hired some new lawyers who filed to “intervene” in the case (even though they should already be in the case as it’s the same MySpace) in order to try to fight the ruling. The filing is a work of art if legal bullshit were an artform. It insists that MySpace LLC is some totally unrelated company to the MySpace LLC in the lawsuit and acts positively shocked that anyone might think they are the same:

Plaintiff?s Motion constitutes his latest attempt to obtain a default judgment against a company that: (1) never had any dealings with Plaintiff; (2) was never named as a party to this lawsuit; (3) did not exist until well after the conduct complained of in Plaintiff?s complaint occurred; and (4) is both factually and legally a separate entity from the ?Myspace LLC? identified in Plaintiff?s complaint which Plaintiff admits now operates under the name Legacy Vision LLC (hereinafter ?Judgment Debtor?).

In a separate filing, MySpace attempts to argue that when Time bought Viant/MySpace it structured a complicated agreement in which it was buying the assets, not the liabilities — and thus the complicated shell corporation and asset movement was really about fulfilling that agreement.

Second, Aguiar got legal representation from lawyer Caleb Mason, who some of you may recognize as a partner of Ken “Popehat” White’s. Mason then opposed the intervention and detailed much of the history I summarized above — including pointing out that despite the name changes and new corporations, MySpace hasn’t changed. The same lawyer who accepted service for the original lawsuit is still VP of legal affairs. The same lawyer representing the firm now represented the firm earlier in other cases. The same CEO of Viant/MySpace is still CEO of Viant/MySpace (now a Time Inc. subsidiary).

Third, the original MySpace/Viant lawyer filed a declaration to the court more or less burning MySpace/Viant for telling her to stop doing anything on the case in September way after all the shell games happened, and then completely ignoring her every time she tried to contact them about things moving forward in the case (including the court refusing to let her withdraw):

As is set forth in more detail in the Motion to Withdraw and Declaration of Jane A. Rheinheimer which is filed concurrently with the instant Declaration of Inability to File Opposition or Notice of Non- Opposition, all communication from Viant, Inc. and/or MYSPACE, LLC has ceased. I was advised by the previous corporate counsel for Viant, Inc. on September 16, 2016, that my firm?s services would no longer be required in connection with this matter. Additional written communications from my office on September 16, December 20, December 21, December 22, December 27, and December 29, 2016 and January 10, January 31, February 1, and February 3, 2017 have gone unanswered. I have sent corporate counsel copies of all pleadings, motions, and minute orders of this Court. All of these communications were sent via electronic mail, none of which have been returned.

Given all that, a few days ago the judge, James Otero, ruled in the case… and to say that he’s less than pleased with Time Inc./MySpace’s games here would be an understatement. The ruling denies “MySpace LLC”‘s request to intervene, because the judge notes it was already a party to the case and just chose to ignore it. All the maneuvering is written off as “gamesmanship and evasion.” This is the kind of thing you generally don’t want to hear a judge saying about your actions in a case:

The Court agrees that this is not a run-of-the-mill motion for default judgment. Although it claims otherwise, MySpace has been actively opposing the motion and has concealed material information or otherwise muddied its representations to the Court.

As for the claim that Time only bought the assets and not the liabilities, the court isn’t buying it:

Through a complicated series of transactions not previously disclosed to the Court, Proposed Intervenor argues that a Time, Inc. subsidiary transferred MySpace’s assets?but none of its liabilities?to Proposed Intervenor, which currently operates under the same…. MySpace fails to provide any documentation to support these purported transactions.

Also, as to the claims in MySpace’s attempt to “intervene” that MySpace LLC didn’t exist prior to all of this, the judge points out, wryly, some oddities if that’s the case:

A search of “MySpace LLC” on the California Secretary of State website reveals that it has the same address as the headquarters of Time, Inc., the parent company of Viant…. A search of “Legacy Vision LLC” on the website shows that Legacy Vision filed a Statement of Information on November 2, 2015?four months before Defendant MySpace allegedly changed its name to Legacy Vision?with the following information: the limited liability company name is listed as “MYSPACE LLC”; the manager of the entity is “Viant Technology Inc.”; and the “AUTH PERSON” who completed the form was Timothy C. Vanderhook, Chief Executive Officer of MySpace LLC and Viant Technology LLC…. “Viant Technology Inc.” is listed as the “Manager” of Legacy Vision, and has an address that matches that of Viant Technology LLC’s headquarters in Irvine, California….

Moreover, Proposed Intervenor’s counsel, LTL Attorneys LLP (“LTL”), was counsel of record for MySpace LLC in another action in the District of Delaware, captioned FO2GO LLC v. MySpace LLC, No. CV 15-00095 RGA (the “Delaware Action”), filed January 27, 2015…. In other words,assuming Proposed Intervenor did not exist until March 2016, it was somehow represented by the same firm over a year before.

The court further calls out attempts by this MySpace to also pretend that Viant Technology LLC and Viant Technology Inc. are somehow different companies (they are not). It goes on and on along these lines, including pointing out that the company had a legal obligation to update the court and the plaintiff in the case to changes in ownership to the defendant — and eventually orders MySpace to pay Aguiar 1,000forviolatinghisrightsundertheSCA,butalsotopaynearly1,000 for violating his rights under the SCA, but also to pay nearly 1,000forviolatinghisrightsundertheSCA,butalsotopaynearly75,000 in Aguiar’s legal fees.

What a mess. This kind of bullshit gamesmanship — having Time Inc. pretend that MySpace is dead just to avoid a court case — is the reason lawyers (especially corporate lawyers) have such a bad reputation among so many people. Thankfully it’s not always so easy to get away with.

Filed Under: caleb mason, corporate lawyers, dea, ecpa, shell corporations, stephen aguiar, stored communications act
Companies: legacy vision, myspace, time, viant

Court Says Microsoft Can Sue Government Over First Amendment-Violating Gag Orders

from the prior-restraint,-but-for-forever-wars dept

One of several service providers to sue the government over its gag orders, Microsoft received some good news from a federal judge in its lawsuit against the DOJ. Microsoft is challenging gag orders attached to demands for data and communications, which the DOJ orders is statutorily-supported by the Electronic Communications Privacy Act (ECPA) and, if not, by supposed national security concerns.

As Microsoft pointed out in its lawsuit, the government rarely justifies its secrecy demands and frequently issues gag orders with no endpoint. Microsoft received nearly 2,800 of these gag-ordered requests over an 18-month period, with over two-thirds of them demanding silence indefinitely.

The good news is a federal judge has (partially) waved away the DOJ’s motion to dismiss and will allow Microsoft to proceed with its lawsuit, as Politico’s Josh Gerstein reports.

U.S, District Court Judge James Robart issued a 47-page opinion [PDF] Thursday allowing Microsoft to proceed with a lawsuit claiming a First Amendment violation when the government restricts internet providers from notifying subscribers about requests for their data.

“The orders at issue here are more analogous to permanent injunctions preventing speech from taking place before it occurs,” Robart wrote. “The court concludes that Microsoft has alleged sufficient facts that when taken as true state a claim that certain provisions of Section 2705(b) fail strict scrutiny review and violate the First Amendment.”

Section 2705(b) refers to the Stored Communications Act, which allows the government demand notice be withheld under certain circumstances, unless otherwise forbidden to by another section of the same law (Section 2703). Microsoft is looking to have both sections declared unconstitutional, especially given the severe upheaval the communications landscape has undergone in the thirty years since the law was passed.

Microsoft contends that Section 2705(b) is unconstitutional facially and as applied because it violates the First Amendment right of a business to “talk to [the business’s] customers and to discuss how the government conducts its investigations.” Specifically, Microsoft contends that Section 2705(b) is overbroad, imposes impermissible prior restraints on speech, imposes impermissible content-based restrictions on speech, and improperly inhibits the public’s right to access search warrants. Microsoft also alleges that Sections 2705(b) and 2703 are unconstitutional facially and as applied because they violate the Fourth Amendment right of “people and businesses . . . to know if the government searches or seizes their property.”

Microsoft contends that the statutes are facially invalid because they allow the government to (1) forgo notifying individuals of searches and seizures, and (2) obtain secrecy orders that “prohibit providers from telling customers when the government has accessed their private information” without constitutionally sufficient proof and without sufficient tailoring.

The DOJ argued Microsoft didn’t have standing to bring this complaint, as its Fourth Amendment rights aren’t implicated. Only its customers’ are. But the court points out that, if nothing else, the company does have standing to pursue its claims of First Amendment violations.

The court finds that Microsoft has sufficiently alleged an injury-in-fact and a likelihood of future injury. Microsoft alleges “an invasion of” its “legally protected interest” in speaking about government investigations due to indefinite nondisclosure orders issued pursuant to Section 2705(b)… The court concludes that Section 2705(b) orders that indefinitely prevent Microsoft from speaking about government investigations implicate Microsoft’s First Amendment rights.

The court goes on to point out that frequent use of indefinite gag orders certainly appears to be unconstitutional, given that they act as a “forever” application of prior restraint.

The court also concludes that Microsoft’s assertions of further civil injuries aren’t speculative, as the DOJ claimed. Judge Robart points to the government’s own actions as evidence of continued harm to Microsoft’s civil liberties.

Microsoft bolsters its prediction by alleging that over a 20-month period preceding this lawsuit, the Government sought and obtained 3,250 orders–at least 4504 of which accompanied search warrants—that contained indefinite nondisclosure provisions. In addition, Microsoft alleges that in this District alone, it has received at least 63 such orders since September 2014. Because these orders have been frequent and issued recently, the Government will likely continue to seek and obtain them. Accordingly, Microsoft’s “fears” of similar injuries in the future are not “merely speculative.”

Unfortunately, the court won’t grant Microsoft the standing to represent its users for Fourth Amendment purposes. Judge Robart points to a whole bunch of precedential decisions declaring otherwise, but at least takes a bit of time to discuss how denying Microsoft this opportunity likely means denying several of its users any sort of redress.

The court acknowledges the difficult situation this doctrine creates for customers subject to government searches and seizures under Sections 2703 and 2705(b). As Microsoft alleges, the indefinite nondisclosure orders allowed under Section 2705(b) mean that some customers may never know that the government has obtained information in which those customers have a reasonable expectation of privacy… For this reason, some of Microsoft’s customers will be practically unable to vindicate their own Fourth Amendment rights.

Expect the government to make heavy use of its “national security” mantra as it defends itself in this case. Those magic words have allowed all sorts of civil liberties violations in the past and still tend to move courts to the government’s side when deployed in DOJ motions. If the court does side with Microsoft when this is all said and done, it’s likely the remedy won’t be a restriction on gag orders, but more likely something analogous to the rules that now govern National Security Letters — periodic review of gag orders by the government and better avenues for raising challenges for companies affected. Then again, the court could simply punt it back to legislators and push them to fix the 30-year-old law whose dubious constitutionality is the source of numerous lawsuits against the federal government.

Filed Under: doj, ecpa, first amendment, gag orders, sca, stored communications act, surveillance
Companies: microsoft