New draft article, "The Fourth Amendment Limits of Internet Content Preservation"

The government is violating the Fourth Amendment hundreds of thousands of times a year. And it's all in secret. Here's how to stop them.

|

I have posted a draft of a new article, The Fourth Amendment Limits of Internet Content Preservation, forthcoming in the St. Louis University Law Journal.  Here's the abstract:

Every year, hundreds of thousands of Internet accounts are copied and set aside by Internet providers on behalf of federal and state law enforcement. This process, known as preservation, is permitted without particularized suspicion. Any government agent can request preservation of any account at any time. Federal law requires the provider to set aside a copy of the account just in case the government later develops probable cause and returns with a warrant needed to compel the account's disclosure. The preservation process is largely secret. With rare exceptions, the account owner will never know the preservation occurred.

This Article argues that the Fourth Amendment imposes significant limits on the preservation of Internet account contents. Preservation triggers a Fourth Amendment seizure because the provider, acting as the government's agent, takes away the account holder's control of the account. To be constitutionally reasonable, the initial act of preservation must ordinarily be justified by probable cause – and at the very least, in uncommon cases, by reasonable suspicion. The government can continue to use the Internet preservation statute in a limited way, such as to freeze an account while investigators draft a proper warrant application. But the current practice, in which investigators can order the preservation of accounts with no particularized suspicion, violates the Fourth Amendment.

NEXT: Making Sense of Danville Christian Academy v. Beshear

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. If an ordinary American wanted to sue in order to stop these violations of our 4th amendment rights, how would you do that? I mean, wouldn't a judge ask: What is your actual injury? And then say, "Geez, no real injury to see here. Case dismissed"

    So...What is the actual injury here? I mean, does anyone seriously doubt that what the Federal government is doing is wrong? How does an ordinary citizen go about trying to stop it?

    My next question....Does this warrantless and secret preservation practice also violate the 9th amendment as well?

    1. Seems to me that anything turned up as a result of "Content Preservation" could be challenged as a fourth amendment violation and suppressed at trial if it came to that.

      A few well publicized cases where this happened would probably put a damper on the practice, but I'm not holding my breath.

      PS - nice to see Orin Kerr back. I haven't forgotten that I owe him a beer.

  2. What, please, are, "internet accounts?" Browsing history? Google searches? Social media activity? Email contents? All of the above?

    1. The account consists of everything about that account held by the provider. The contents of the account are the messages (e-mails, private messages), remotely stored files, etc. in the account.

      1. So, suppose the provider deliberately structures their service to not generate such records in the first place? Almost all current services COULD be structured that way, if you wanted to. Run everything locally on the customers' machines, peer to peer, and all the provider is offering is the software they run.

        What happens then?

        1. To be clear, what I mean is, could "all necessary steps to preserve records and other evidence" be interpreted as requiring your service to be altered to generate something that could be preserved?

          1. Not a lawyer, but worked in IT at a university. Like most computer nerds, we obsessively backed things up and kept them for years - there is essentially zero cost to doing that.

            As email became prominent (late 90's???) we went to considerable effort to restructure things so as to only retain email for 2 weeks. This wasn't done for civil liberties reasons, but because we were going to have to go on a hiring binge to keep up with the email subpoenas. Going back through years of backups and parsing out the email folders for a single user was a nontrivial amount of work.

            So I don't think the law at present can require prospective retention.

        2. Several providers of different internet services do deliberately structure their services to not generate such records in the first place. Those services generally advertise their privacy credentials.

          A mere preservation order can not require the provider to change their service or to start creating records that they do not already create.

          A couple years ago, one judge tried to get around this problem by redefining "records" to include the ephemeral data flying through flash memory. I do not know how that case ultimately turned out but I do know a) that the judge is a moron, b) that the standard was impossible as a matter of simple physics and c) that to the best of my knowledge no court anywhere has attempted to follow that "precedent".

          * The standard was impossible because as written it required the logging of flash memory but the act of logging involves more interactions which means more logging which means more flash memory which means more logging ad infinitum.

          1. A mere preservation order can not require the provider to change their service or to start creating records that they do not already create.

            Maybe not, but what can happen, and does happen, is that people government is interested in spying on (maybe a very large number of people) can be denied internet service unless that service is routed at some point through companies which already cooperate with the government.

            1. Can you elaborate? You seem to be saying that it is illegal for Absaroka Internet Services Unlimited to accept a customer of our internet services unless AISU agrees to route certain customer data over specific routes. As the proprietor of AISU, how do I check whether some new customer is one of the special ones, and how do I find out where to route her traffic?

            2. Short of places like China and North Korea, no they can't.

  3. Suppose the government treated all Internet activity as business records of the provider. Keep everything for seven years, or whatever the general law says about bank accounts and the like.
    Once probable cause happened the government could get a warrant to find out what Mr, Outoffavor did.

    1. My personal, non-commercial, email and web pages are the ISP's business records? That's probably pushing the third party doctrine far enough to get the Supreme Court's attention.

  4. "Federal law requires the provider to set aside a copy of the account. . . . "

    Is the copy a snapshot of the account from the date of the request only or is the provider keeping a running copy.?

    If it's just a snapshot, then I could see some validity like cops maintaining license plate numbers (for a certain amount of time) that they randomly photographed.

    If it's a running copy then that's active, targeted surveillance and 4A should kick in.

  5. "You would be unable to actually see the account contents
    unless you eventually develop probable cause and obtain a warrant."

    If that's actually being enforced, the practice seems less than problematic from the user's standpoint. Would it be considered a privacy violation if providers were routinely making complete backups of accounts, then deleting them after six months? I would think not. It would just be routine IT practice.

    Such backups would obviously be subject to warrants, after all. And at least warrants ARE being required, none of this 3rd party doctrine nonsense appears to be going on.

    An obvious issue, though, is the compelled nature of backing up the accounts. How exactly is this justified without paying the provider for the service?

    Now, keeping the existence of the order secret even after charges have been filed? THAT seems to be a serious issue. That's where I'd focus when it comes to reform.

    1. Would it be considered a privacy violation if providers were routinely making complete backups of accounts, then deleting them after six months? I would think not. It would just be routine IT practice.

      Such backups would obviously be subject to warrants, after all.

      If the backup still existed when the warrant issued, yes. If it was past the end of the provider's retention policy, then tough cookies.

      But this scheme basically gives the government the ability to override the provider's retention policy based on absolutely nothing (and, as you point out below, renew it in 90-day chunks, also based on absolutely nothing), in the hope that maybe someday they'll come up with something that will support a warrant.

      Something about an infinite number of monkeys comes to mind.

      1. "renew it in 90-day chunks"

        One renewal. Not forever.

        1. Maybe -- at a quick glance, I don't see that it's ever been litigated. Given it doesn't say "one and only one" additional request, there's no evident barrier to construing that language as requiring an additional 90-day retention for each additional request.

          And if a governmental entity did start sending serial requests for someone of particular interest, I wonder if that's a hill most providers would really want to die on.

  6. IANAL but scanning through § 2703(f), it sure seems like a court order, administrative subpoena, warrant, consent of the owner, formal written request relevant to a law enforcement investigation concerning telemarketing fraud (Note: very narrow requirement), etc. is required.

    So it seems like this is not just blanket authority for a govt entity to do what it wants.

    1. You're focusing on the rules for disclosure, not preservation.

      The disclosure rules are reasonable. The preservation rule?

      "(f)Requirement To Preserve Evidence.—
      (1)In general.—
      A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
      (2)Period of retention.—
      Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity."

      And that's it. They ask, you've got to do it, no warrant requirement or anything like that.

      1. You're right. Thanks.

  7. Professor Kerr, please tell us how you became aware of this practice. How do you know it happens thousands of times?

    1. Both are explained in the article.

  8. "a period of 90 days, which shall be extended for an additional 90-day period"

    90 days seems reasonable so not a 4A violation. We can argue about the second 90 as being too long.

    1. On the contrary, 90 seconds is unreasonable. If I have property that I want to destroy for whatever reason, you have no inherent right to stop me. Maybe I drew a picture and don't like the way it turned out. You should need a lot more than "I might want it someday" to stop me from tearing it up on my schedule.

  9. "the initial act of preservation must ordinarily be justified by probable cause"

    This is not self evident. 4A only has "probable cause" for warrants. Is this a warrant? Government does not get to SEE the account until a warrant is issued.

    "Reasonable suspucion" seems like its enough.

  10. Well, the only real 4th amendment remedies are the exclusionary rule. Sometimes. Maybe.

    And would it even apply here? Before carpenter, all of this was presumed to be allowed right under the third party doctrine. Once they have the information, is there a problem with using it?

    Now, I wish there was a functioning tort system in place where the average person who hasn't committed a crime could still sue for remedy and not be foreclosed by 11th amendment, immunities, or whatever, but seeing that that isn't the case ...

  11. This seems to be more a 5th amendment than 4th amendment issue. Actually looking at the retained data seems to involve probable cause and warrants, and thus comply with the 4th amendment.

    But the order to retain the data seems dubious on 5th amendment grounds, the government is just conscripting the service provider to do something for it, without any compensation.

  12. Some police officers will look up the driving record of that hot girl who drove past, the troublemaking reporter, the person criticizing the police too harshly, etc. That's illegal under the Drivers Privacy Protection Act but it is very hard to sue. How do you know somebody is snooping around with your information, or at least know enough plead a strong enough suspicion to survive a motion to dismiss?

    The solution to both problems (ISP snooping and DMV snooping) can be similar: All administrative requests shall be disclosed to the owner of the information absent a court order.

    1. A key point here is that they don't actually get to look at any of the information prior to obtaining a warrant.

      The only problematic issues I see here are the compelled service by the service provider, and the lack of disclosure if the warrant issues, or even if charges are filed.

  13. Even by ECPA standards, that's daft.

    The analogue or source for the "records or other evidence" language might be the duty to preserve in 12 USC 1829b -- FDIC transaction records. (One of only five occurrences in the Code.) If so, the statutory duty to preserve might consider the files as transactional elements, like a pen register on a computer server.

    Example: (1) Bob opened an account with my company, RCS.com; (2) On 7/5/2001, he saved a line of text reading "pack my box with five dozen liquor jugs"; (3) Bob closed his account the next day.

    If so, a request by a government entity at time (2) would seem to hold actions (1) and (2) and then capture (3), not as Bob's information, but as information responsive to the Federal Revenooers' subsequent process demanding that I account for all of my transactions with Bob. The question I then might ask is whether a statutory duty to preserve evidence is operative against a third party with both a right to possess and destroy the item, and no independent duty to preserve it. (2) exists both as a record of my transactions with Bob and Bob's gnomic utterance, but if he legitimately causes it to be taken from my possession, the question then becomes whether I have an obligation to preserve a separate transactional record independent of the little dots of silver on a hard drive that he managed to scour away.

    One counter-argument to the (generally strong) "snapshot" or drive imaging 4A argument is that a different drive or log structure might passively retain the data against customer deletion.

    Top of the head after a quick skim, not advice, don't rely. Congrats on going back to the early ideas -- always a strong choice.

    Mr. D.

Please to post comments