Government Affairs Blog
June 29, 2018
WILL ALL ELECTRONIC COMMUNICATIONS EVENTUALLY ACQUIRE TOP-LEVEL PRIVACY PROTECTION?
The US Supreme Court recently issued a ruling that curbs law enforcement agency (LEA) access to subscriber location records stored by wireless communication service providers (CSPs). In Carpenter v. US, the Court held that an LEA must show a judge “probable cause,” not just “specific and articulable facts,” before asking a CSP to disclose a suspect’s historic cell site location information (CSLI). Probable cause is the nation’s highest level of due process. The standard requires an LEA to make a factual demonstration that the suspect is probably engaged in a crime.
In the short run, the Supreme Court pronouncement may well reduce the number of court orders served on CSPs to produce CSLI. But what about the long run? Will the courts ultimately strengthen privacy protection for other forms of electronic communication?
Real-time location is arguably just as private as historic location
In Carpenter, the Court articulated strong reasons to elevate the due process standard governing CSLI. The majority opinion said CSLI provides “an all-encompassing record of the [cell phone] holder’s whereabouts.” Detailing the threat to privacy, the opinion spoke of “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection ….”
Actually, a court may authorize an LEA to investigate a suspect’s whereabouts in two ways. One approach is to collect the person’s CSLI, as described in the Carpenter case. The other option is to monitor the person’s movements in real-time. In the real time scenario, the court issues a “pen/trap” order or “full-content” order, and the CSP activates a technical solution in its network that discloses the suspect’s cell phone location (at the start and end of each suspect call) to the LEA in real-time for a period of 30 or 60 days.
The Court justified its judicial elevation of CSLI in part by reasoning that an investigation of CSLI is more intrusive than the real-time monitoring of a suspect’s vehicle using a vehicle tracking device. In particular, the court emphasized that CSLI traces the location of the suspect, not just the suspect’s car. However, the Court did not compare CSLI with the kind of location gleaned from pen/trap orders and full-content orders. Like CSLI monitoring, real-time cell phone location monitoring traces an individual’s movements over time. Both forms of location monitoring produce “an all-encompassing record of the [cell phone] holder’s whereabouts.” Both are “deeply revealing” in “depth, breadth, and comprehensive reach.” And both are “inescapable and automatic” in the nature of their collection.
Based on the above, it seems inevitable that US courts will ultimately accord the same top-level “probable cause” protection for real-time cell phone location monitoring that Carpenter recognized for historic cell phone location monitoring. Such a privacy-expanding outcome would make it more difficult for LEAs to obtain court orders for the real-time monitoring technique.
Communication transactional records are arguably just as private as historic location records
Wireless location is not the only type of footprint left by suspects on communications networks. The individuals also accumulate transactional records, known in the voice communication world as call data records, or “CDRs.” Think of the telephone calling information we see on our monthly phone bills. Under current law, an LEA may collect CDRs with a court order or self-generated subpoena. The applicable due process standard is the lowest one. Specifically, the LEA must only confirm that the desired records are “relevant” to a criminal investigation.
CDRs are surprisingly informative. When an investigator discovers who a suspect called and who called the suspect, along with the related times and dates over several months or a year, he or she can run the data though an analytics program that makes accurate inferences about the suspect’s private life. The algorithms expose calling patterns that distinguish the boss of the suspected crime ring from the lieutenants and henchmen. Also detectable are clues about the nature of the criminal activity itself, such as drug trafficking, auto theft, or burglary. The automation can even help predict when and where the bad guys will strike next.
Notice that CDRs are deeply revealing in their depth and breadth, and comprehensive in their reach. They are also inescapable and automatic in the nature of their collection. Moreover, the records are stored by all types of communication providers, not just wireless carriers.
For these reasons, one could say subscribers deserve the same top-level probable cause protection for CDRs that Carpenter delivered for wireless location records. The result would be another win for privacy protection and another setback for criminal investigations.
Traditionally, some components of electronic communication have been legally considered more private than others. But Carpenter points in a new direction. Based on the reasoning of the case, most if not all of our digitally-communicated life may ultimately be deemed highly private. At that point we would communicate with less risk of LEA monitoring. On the other hand, we would live at greater risk of criminal harm.
April 26, 2018
HOW WILL THE PROPOSED EU PRODUCTION ORDER AND THE US CLOUD ACT AFFECT INTERNATIONAL COMMUNICATIONS SERVICE PROVIDERS?
The European Commission just proposed legislation to solve the problem faced by European law enforcement agencies (LEAs) when they try to collect investigative data such as emails and text messages stored by communication service providers (CSPs) in foreign data centers. The proposal, called the EU Production Order, would potentially replace existing investigative channels such as mutual legal assistance treaties, or “MLAT” treaties, which are considered slow and unreliable. The US recently enacted a similar law called the Clarifying Lawful Overseas Use of Data Act, also known as the “Cloud Act.” How would the Production Order and the Cloud Act affect international CSPs?
February 8, 2018
THE COMPLEX WORLD OF PRIVACY PROTECTION: WHAT INTERNATIONAL COMMUNICATIONS SERVICE PROVIDERS MUST KNOW
In 2018 two new privacy laws take effect in the European Union. One is the General Data Protection Regulation (GDPR), which upgrades the general EU standards of privacy protection. Included in the GDPR’s scope of coverage are communication service providers (CSPs). The other new privacy law is the Data Protection Directive on Police Matters (the EU Directive), which requires EU law enforcement agencies (LEAs) to protect privacy when conducting criminal investigations. The EU Directive gives each EU member state discretion to interpret the principles of the Directive in its own national laws. As a result, EU investigative privacy standards will likely vary from one state to the next.
December 13, 2017
WILL THE SUPREME COURT RAISE THE BAR FOR LAW ENFORCEMENT COLLECTION OF SUBSCRIBER LOCATION DATA?
The Supreme Court is now hearing a case that poses the question: what level of due process should a law enforcement agency (LEA) be required to meet before asking a communication service provider (CSP) to produce a criminal suspect’s historic cell phone location data? Based on the Court’s recent oral argument in the case, called Carpenter v. United States, it appears somewhat likely they will subject such location inquiries to the top-level “probable cause” standard. Why are the justices heading in that legal direction, and what would it mean for CSPs?
November 9, 2017
HOW CAN AN INTERNATIONAL COMMUNICATION SERVICE PROVIDER AVOID INTERNATIONAL CONFLICTS OF SURVEILLANCE LAWS?
As US communication service providers (CSPs) increasingly enter foreign markets they become subject to foreign mandates for lawful electronic surveillance, otherwise known as lawful interception or “LI.” The US LI mandate was not designed in coordination with foreign LI mandates. As a result, an LI validly authorized in the US may be deemed illegally implemented on another country’s soil. How can an international CSP avoid these conflicts of law?