The tech giant has said that it received the warrants on June 7, before the US Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade, and that the documents “didn’t reference abortion at all.” It also said the warrants were accompanied by non-disclosure orders, which have since been lifted.
The company hasn’t said whether its response would have differed had it known what the possible charges would be. But tech companies have few options for shielding user content.
As it stands, users who are worried about data collection by law enforcement have few options other than to minimize the amount of data online service providers collect from them.
What laws govern law enforcement access to electronic communications?
When state or federal law enforcement officials want to access stored emails or online messages, they generally have to go through the Stored Communications Act. Other provisions of the Electronic Communications Privacy Act of 1986, like the Wiretap Act, address communications that are in transmission.
State laws may offer additional privacy protections. But the SCA establishes a sort of baseline, codifying Fourth Amendment-like privacy protections for stored online communications by explicitly limiting the circumstances under which federal or state governments may compel production of a user’s data.
Requirements under the SCA vary for different types of communications. Generally, the government is required to obtain a warrant, based on a showing of probable cause, when it seeks the “content” of electronically stored communications less than 6 months old. The SCA authorizes the government to demand older communications and certain “non-content” on a lesser showing via court orders or a subpoena, as long as the user is notified.
The Nebraska law referenced in the affidavits supporting the June Facebook subpoenas largely tracks the SCA’s provision governing required disclosure of customer communications or records. The state also has a SCA-like delayed notice provision, which was relied upon for the gag order that prevented Facebook from disclosing information about the warrants.
What if a company refuses to comply?
If a company resists a valid search warrant, it risks significant sanctions, including civil contempt, which can result in quasi-criminal penalties like substantial daily fines and even jail time. An entity’s refusal to comply with an otherwise lawful warrant eventually could amount to obstruction of justice.
Although an entity can usually challenge the scope or validity of a court order or subpoena before complying with it, the same isn’t true for criminal warrants.
In a 2015 case in New York state court involving Facebook’s challenge to 381 search warrants seeking user communications, a New York appeals court said Facebook had no ex ante recourse under the SCA. In other words, the user would have to challenge the evidence on the back end, via a motion to suppress. The SCA, however, doesn’t authorize suppression as a remedy for a violation of its provisions. Instead, it provides for equitable and injunctive relief, damages, and attorneys’ fees—so any suppression argument would have to be based on the Fourth Amendment.
That presents its own challenges, as not all courts agree that the Fourth Amendment extends to information held by a third party internet service provider. Under the third-party doctrine, one generally has no privacy interest in information voluntarily provided to others.
Do internet service providers have any obligation to protect user health data?
Internet service providers have no special obligation to protect user health data under federal law, as they generally aren’t considered “covered entities” under the Health Insurance Portability and Accountability Act.
And even if a internet service provider qualified as a covered entity, there are exceptions to HIPAA when the protected health information is sought pursuant to a warrant, subpoena, or court order.
A user’s content is presumed to be private and protected as such under the SCA, so the nature of that private content shouldn’t make any difference in the context of a government demand for records.
How can users protect their sensitive data?
End-to-end encryption would help shield user data by making it more difficult for the government to decipher seized content, and by reducing the risk that the third-party doctrine would come into play in a Fourth Amendment analysis.
It isn’t a surefire way to protect user data, however, as the government had lots of tools at its disposal for obtaining encryption keys and passwords.
Ultimately, the most effective strategy for users is to limit the amount of data that internet service providers are able to collect.
To Learn More:
—From Bloomberg Law:
—From Bloomberg News: