Follow: Email

Last week, the Ninth Circuit held in United States v. Wilson, No. 18-50440, 2021 WL 4270847, that a law enforcement officer violated a criminal defendant’s Fourth Amendment rights when he opened images attached to the defendant’s emails without a warrant, even though the images had previously been flagged as child sexual abuse materials (“CSAM”) by Google’s automated CSAM-detection software.  The court based its ruling on the private search exception to the Fourth Amendment, which permits law enforcement to conduct a warrantless search only to the extent the search was previously conducted by a private party.  Because no individual at Google actually opened and viewed the images flagged as CSAM, the court held that law enforcement “exceeded the scope of the antecedent private search,” thereby “exceed[ing] the limits of the private search exception.”  Op. at 20-21.

Continue Reading Ninth Circuit’s Interpretation of Private Search Exception to the Fourth Amendment Contributes to “Growing Tension” Among Circuit Courts

On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes.  The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored.  The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement.
Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement

Yesterday the Supreme Court issued a decision in Van Buren v. United States, No. 19-783, ruling that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was permitted to access, but did so for an improper purpose.  In so ruling, the Court adopted a relatively narrow reading of the CFAA, and partially resolved a years-long debate concerning the scope of liability under the CFAA.

The CFAA prohibits, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.”  18 U.S.C. § 1030(a)(2).  What it means to “exceed authorized access” has been the subject of disagreement among lower courts:  Some have concluded that this term refers to accessing areas of a computer that the user is not permitted to access under any circumstances—e.g., a student accessing her university’s database of grades that is restricted to only administrator use.  Others have concluded that this term also encompasses individuals who are permitted to access an area of a computer for certain purposes, but they do so for an improper purpose—e.g., an administrator accessing the university’s database of grades that she is generally permitted to use, but she does so for the improper purpose of blackmailing a student.
Continue Reading Supreme Court Adopts Narrow Reading of the CFAA in Van Buren v. United States

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions:
Continue Reading Lawful Access to Encrypted Data Act Introduced

On June 16, 2020, the First Circuit released its opinion in United States v. Moore-Bush.  The issue presented was whether the Government’s warrantless use of a pole camera to continuously record for eight months the front of Defendants’ home, as well as their and their visitors’ comings and goings, infringed on the Defendants’ reasonable expectation of privacy in and around their home and thereby violated the Fourth Amendment.  The appeal followed the district court’s decision in June 2019 in favor of Defendants’ motions to exclude evidence obtained via the pole camera.  The Government, without obtaining a warrant, had installed a pole camera on a utility pole across the street from Defendants’ residence.  The pole camera (1) took continuous video recording for approximately eight months, (2) focused on the driveway and the front of the house, (3) had the ability to zoom in so close that it can read license plate numbers, and (4) created a digitally searchable log.

In their motions to exclude, the Defendants, relying on Katz v. United States, argued they had both a subjective and objective reasonable expectation of privacy in the movements into and around their home, and that the warrantless use of the pole camera therefore constituted an unreasonable search under the Fourth Amendment.  The Government relied on an earlier First Circuit case, United States v. Bucci, which held that there was no reasonable expectation of privacy in a person’s movements outside of and around their home—“An individual does not have an expectation of privacy in items or places he exposes to the public.”  Thus, Bucci held that use of a pole camera for eight months did not constitute a search.
Continue Reading United States v. Moore-Bush: No Reasonable Expectation of Privacy Around the Home

On March 31st, Washington Governor Jay Inslee signed into law SB 6280, a bill aimed at regulating state and local government agencies’ use of facial recognition services.  An overview of the law’s provisions can be found here.

Notably, Governor Inslee vetoed Section 10 of the bill, which aimed to establish a legislative

On March 12, 2020, Washington’s state legislature passed SB 6280, a bill that will regulate state and local government agencies’ use of facial recognition services (“FRS’s”).  The bill aims to create a legal framework by which agencies may use FRS’s to the benefit of society (for example, by assisting agencies in locating missing or deceased persons), but prohibits uses that “threaten our democratic freedoms and put our civil liberties at risk.”
Continue Reading Washington State Passes Bill Limiting Government Use of Facial Recognition

On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Continue Reading U.S. and U.K. Sign CLOUD Act Agreement

When the U.S. government conducts electronic surveillance, there are a variety of legal authorities on which it relies.  The Wiretap Act, for example, authorizes the government to conduct live telephone wiretaps in certain criminal investigations; for electronic data, the Act also permits the government to acquire electronic communications in real time.  The Stored Communications Act (“SCA”) authorizes the government to obtain stored electronic data, including the content of email messages hosted online for criminal investigations.

Continue Reading Coercive and Non-Coercive Surveillance Authorities

On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide.  The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.

Continue Reading Department of Justice Releases White Paper on CLOUD Act