Follow: Email

Last week, the Ninth Circuit held in United States v. Wilson, No. 18-50440, 2021 WL 4270847, that a law enforcement officer violated a criminal defendant’s Fourth Amendment rights when he opened images attached to the defendant’s emails without a warrant, even though the images had previously been flagged as child sexual abuse materials (“CSAM”) by Google’s automated CSAM-detection software.  The court based its ruling on the private search exception to the Fourth Amendment, which permits law enforcement to conduct a warrantless search only to the extent the search was previously conducted by a private party.  Because no individual at Google actually opened and viewed the images flagged as CSAM, the court held that law enforcement “exceeded the scope of the antecedent private search,” thereby “exceed[ing] the limits of the private search exception.”  Op. at 20-21.

Continue Reading Ninth Circuit’s Interpretation of Private Search Exception to the Fourth Amendment Contributes to “Growing Tension” Among Circuit Courts

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”).  The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.

The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations.  However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies.  Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.

In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors.  As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.


Continue Reading OFAC Issues Updated Guidance on Ransomware Payments

On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes.  The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored.  The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement.
Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement

Senators Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) have introduced the Lawful Access to Encrypted Data Act, a bill that would require tech companies to assist law enforcement in executing search warrants that seek encrypted data.  The bill would apply to law enforcement efforts to obtain data at rest as well as data in motion.  It would also apply to both criminal and national security legal process.  This proposal comes in the wake of the Senate Judiciary Committee’s December 2019 hearing on encryption and lawful access to data.  According to its sponsors, the purpose of the bill is to “end[] the use of ‘warrant-proof’ encrypted technology . . . to conceal illicit behavior.”

The bill has three main provisions:
Continue Reading Lawful Access to Encrypted Data Act Introduced

On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Continue Reading U.S. and U.K. Sign CLOUD Act Agreement

On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide.  The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.

Continue Reading Department of Justice Releases White Paper on CLOUD Act

In a decision that defines how the Fourth Amendment applies to information collected in the digital age, the Supreme Court today held that police must use a warrant to obtain from a cell phone company records that detail the location and movements of a cell phone user.  The opinion in Carpenter v. United States limits the application of the third-party doctrine, holding that a warrant is required when an individual “has a legitimate privacy interest in records held by a third party.”

The 5-4 decision, written by Chief Justice John Roberts, emphasizes the sensitivity of cell phone location information, which the Court described as “deeply revealing” because of its “depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.”  Given its nature, “the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection,” the Court held.
Continue Reading Supreme Court’s Carpenter Decision Requires Warrant for Cell Phone Location Data


Two federal appellate courts are taking sharply different views on whether—and why—government agents must have some amount of suspicion to conduct forensic searches of electronic devices seized at the border.

The Fourth Circuit on May 9, 2018, held that government agents must have reasonable suspicion to conduct forensic searches of cell phones seized at the

On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide.

The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components.

Part I:  Extraterritorial Reach