SHOULD A SERVICE PROVIDER NOTIFY CUSTOMERS WHEN THEY ARE SUBJECT TO LAW ENFORCEMENT INVESTIGATIONS?

Ready for the latest privacy law challenge by an American Internet giant against American law enforcement? This time the tech giant is Microsoft. The lawsuit claims a non-disclosure rule in the Electronic Communications Privacy Act (ECPA) is unconstitutional. And the controversy could impact all communication service providers (CSPs).

ECPA’s Non-Disclosure Rule

ECPA is the federal statute passed in 1986 that protects communications privacy but permits exceptions for inquiries such as law enforcement investigations. Let’s say a law enforcement agency (LEA) serves a court order on a CSP seeking copies of the past two months’ of emails belonging to a CSP subscriber suspected of armed robbery. The LEA may need to keep the suspected robber unaware of the criminal probe for fear that the person will destroy evidence, kill witnesses, or flee the jurisdiction.

ECPA contains two rules to preserve the confidentiality of criminal investigations. Section 2705(a) (the Delayed Notice Rule) states that in situations where an LEA is normally required to notify a suspect of an investigation it may ask a court to delay the notice by 90 days, and the court may grant 90-day extensions as needed. Under Section 2705(b) (the Non-Disclosure Rule) the court may order the CSP not to disclose the existence of the investigation. Unlike the Delayed Notice Rule, the Non-Disclosure Rule contains no 90-day limit. It lasts for “such period as the court deems appropriate.”

Microsoft’s Opposition to the Non-Disclosure Rule

In its April 14th complaint before a federal district court, Microsoft argues that because the Non-Disclosure Rule lacks the accountability of a fixed timeframe it violates the First and Fourth Amendments of the Constitution. The Rule violates the First Amendment, according to Microsoft, by postponing indefinitely its free speech right to inform its customers of actions affecting their private data. Moreover, Microsoft states that if the customer lacks awareness of the LEA request, the acquisition of customer records is an unreasonable search and seizure that breaches the person’s Fourth Amendment rights.

Microsoft claims it has standing to raise the Fourth Amendment issue on behalf of its customers because: (i) the Non-Disclosure Rule erodes customer trust in Microsoft’s cloud computing services; (ii) Microsoft’s close relationship with its customers entitles the company to assert their constitutional rights; and (iii) the Non-Disclosure Rule hinders customers from defending their own Fourth Amendment rights.

The First Amendment Impact of the Non-Disclosure Rule

The 90-day feature of the Delayed Notice Rule protects a suspect’s due process right to notice that he or she is under investigation. Specifically, the time limit ensures the suspect receives such notice at the earliest practical date. By contrast, the purpose of the Non-Disclosure Rule is not to protect the suspect but to guard the confidentiality of the investigation. That explains why courts have more flexibility to set the Non-Disclosure Rule timeframe as they see fit.

Adding a 90-day limit or related accountability feature to the Non-Disclosure Rule would do CSPs no good. Judges would still have to impose non-disclosure orders of sufficient duration to preserve the confidentiality of investigations. As a result, the more “narrowly tailored” Non-Disclosure Rule that Microsoft demands would not enhance free speech. Potentially, Microsoft’s formulation may reduce free speech by mandating non-disclosure for 90 days when a shorter period would suffice.

The First Amendment implications of non-disclosure rules were thoroughly vetted by the Second Circuit Court of Appeals over a decade ago in connection with national security letters (NSLs), a kind of subpoena used in terrorist investigations. The litigation produced a change in the NSL process so CSPs would not need to initiate litigation to raise First Amendment claims. But significantly, the Court did not criticize the duration of NSL non-disclosure orders, even though such orders are permanent.

The Fourth Amendment Impact of the Non-Disclosure Rule

Despite Microsoft’s Fourth Amendment theory, courts have consistently ruled that CSPs may not raise Fourth Amendment claims on behalf of their subscribers. A CSP served with a court order for subscriber information is just a “witness” to the investigation with a duty to deliver all validly-requested data in its possession. If the investigation leads to a trial, the suspect may raise its own Fourth Amendment objections and have any illegally-obtained evidence thrown out of court.

This legal framework was upheld in two recent cases involving LEA demands on Internet providers for subscriber information. One case in 2012 dismissed a Fourth Amendment motion by Twitter; the other denied a similar claim in 2015 by Facebook.

How CSPs should observe the Non-Disclosure Rule

Only a judge can properly decide how long a criminal investigation should remain confidential because only he or she can objectively assess whether tipping off the suspect would frustrate the investigation. The same issue arises in democracies worldwide, which is why they all impose non-disclosure restrictions similar to the ECPA rule.

The Non-Disclosure Rule has been part of ECPA for 30 years, so it is very late to claim the Rule erodes customer trust. Nevertheless, CSPs should address the issue in their privacy policies. They should announce that although they strongly guard the privacy of subscriber data they deliver such data to third parties as required by law. The message will help preserve customer trust while serving the needs of law enforcement.