Warrant Needed In Massachusetts to Obtain Cell Phone Records

143669025_394e1b6649I am blogging this week for The Secure Times, the blog of the Privacy and Information Security Committee of the American Bar Association Section of Antitrust Law. Here is the first of this week’s posts.

The Massachusetts Supreme Judicial Court ruled 5-2 on February 18 in Commonwealth v. Augustine that the government must first obtain a warrant supported by probable cause before obtaining two weeks worth of historical cell site location information (CSLI).

Defendant had been indicted for the 2004 murder of his former girlfriend. During the investigation, the prosecution filed for an order to obtain CSLI from the suspect’s cellular service provider, but the order was filed under 18 U.S.C. § 2703(d) of the Stored Communications Act (SCA). Under that law, the government does not need to show probable cause, but only needs to show specific and articulable facts showing “that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”

The order was granted by the Superior Court in September 2004. Defendant was indicted by a grand jury in 2011, and filed a motion to suppress evidence associated with his cell phone in November 2012.

A judge from the Superior Court granted his motion to suppress, reasoning that this was a search under article 14 of the Massachusetts Declaration of Rights – which is similar to the Fourth Amendment to the U.S. Constitution – and thus a search warrant was required.

The Commonwealth of Massachusetts appealed, arguing that the CSLI was a business record, held by a third party, and that the defendant had no expectation of privacy in this information as he had voluntarily revealed it to a third party.

This argument did not convince the Massachusetts Supreme Judicial Court, ruling instead that defendant had an expectation of privacy in the CSLI and that the prosecution therefore needed to obtain a warrant based on probable cause to obtain this information.

The Third Party Doctrine

Why did the court find that the defendant had an expectation of privacy in his CSLI, even though this information was known by a third party, his cell phone service provider?

Under the U.S. Supreme Court third party doctrine, as stated in the U.S. v. Miller 1976 case and in the 1979 Smith v.Maryland case, a defendant has no reasonable expectation of privacy in information revealed to third parties.

In Miller, the Supreme Court found that defendant has no expectation of privacy in his bank records, as they were “business records of the banks.” Similarly, in Smith v. Maryland, the Supreme Court held that installing and using a telephone pen register was not a “search” under the Fourth Amendment, and thus no warrant was required, because the defendant had no expectation of privacy in the phone numbers he had dialed.

First, the Massachusetts Supreme Judicial Court recognized article 14 of the Massachusetts Declaration of Rights affords more protection than the Fourth Amendment to the U.S. Constitution.

Then, the Supreme Judicial Court distinguished Miller and Smith from the case, finding “significant difference” between these two cases and the case at stake. The Court noted that “the digital age has altered dramatically the societal landscape from the 1970’s.”

In Smith, the defendant had taken an affirmative step when dialing the numbers which had been communicated to the prosecution by the telephone company. He had to do it in order to be able to use his telephone service. As such, Smith had “identified] a discrete item of information…like a telephone number (or a check or deposit slip as in Miller) and then transmit it to the provider.”

But cell phone users do not transmit their data to their cell phone company in order to use the service. Instead, “CSLI is purely a function and product of cellular telephone technology, created by the provider’s system network.”

The court also noted that, while using a landline may only indicate that a particular party is at home, CSLI provides a detailed report of an individual’s whereabouts. The Massachusetts court quoted the State v. Earls case from the New Jersey Supreme Court, which stated that using a cell phone to determine the location of its owner “is akin to using a tracking device and can function as a substitute for 24/7 surveillance.”

As CSLI is business information “substantively different from the types of information and records contemplated by Smith and Miller,” the court concluded that it “would be inappropriate to apply the third-party doctrine to CSLI.” However, the court added that they saw “no reason to change [their] view thatthe third-party doctrine applies to traditional telephone records.”

Obtaining CSLI from a Cell Phone Provider is a Search and Thus Requires a Warrant

The court then proceeded to answer the question of whether the government needed a warrant to access the CSLI.

As CSLI informs law enforcement about the whereabouts of an individual, the Massachusetts Supreme Judicial Court compared it to electronic monitoring devices such as a GPS. It noted that “it is only when such tracking takes place over extended periods of time that the cumulative nature of the information collected implicates a privacy interest on the part of the individual who is the target of the tracking,” quoting the Supreme Court U.S. v. Jones case, where Justice Sotomayor and Justice Alito both noted in their concurring opinions that the length of a GPS surveillance is relevant to determine whether or not the individual monitored has or does not have an expectation of privacy.

The Massachusetts Supreme Judicial Court found relevant the duration of the period of time for which historical CSLI was sought by the government. The government may only obtain historical CSLI, meeting the SCA standard of specific and articulable facts, if the time period is “too brief to implicate the person’s reasonable privacy interest,” but the two-week period covered in this case exceeds it.

The court’s ruling was about article 14 of the Massachusetts Declaration of Rights. The Supreme Court has not yet considered the issue of whether obtaining CSLI is a search under the Fourth Amendment. Since courts are split on this issue, it is likely that the Supreme Court will answer the question of whether a warrant is required to obtain cell phone location records quite soon.

Source: The Secure Times

Image  is Cell Phone Life Vest courtesy of Flickr user Counselman Collection pursuant to a  CC BY-SA 2.0 license.

Facebooktwitterredditpinterestlinkedinmailby feather

SCA Protects Privacy of Non-Public Facebook Wall Posts

5454778149_620c36dbfeThe U.S. District Court for the District of New Jersey ruled on August 20 that non-public Facebook wall posts are covered by the Stored Communications Act (SCA). However, the authorized user exception applied in this case, as a colleague who had legally access to Plaintiff’s Facebook wall had forwarded the controversial  post, unsolicited, to their common employer.

The case is Ehling v. Monmouth-Ocean Hospital.

Plaintiff Deborah Ehling was as registered nurse and paramedic working for Defendant Monmouth-Ocean Hospital Service Corp. (MONOC). In June 2009, she posted a message on her account, implying that the paramedics who took care of the man who had killed a security guard outside the U.S. Holocaust Memorial Museum in 2009 should have let him die.

The privacy settings of Ehling’s Facebook account limited access to her Facebook wall to her Facebook friends. No MONOC managers were her Facebook friends, but several of her MONOC coworkers were, including Tim Ronco, who apparently decided on his own to provide screenshots of the controversial Ehling’s Facebook post to a MONOC manager.

Plaintiff was then suspended with pay and was told that her comment reflected a “deliberate disregard for patient safety.” Plaintiff then filed a complaint with the National Labor Relations Board (NLRB) which found that MONOC had not violated Ehling’s privacy as the post had been sent unsolicited to management.

Plaintiff was eventually fired, and filed an action against MONOC,  but the court granted defendant’s motion for summary judgment. I will only talk about the violation of the SCA.

Stored Communications Act

Plaintiff claimed that Defendant had violated the SCA when accessing the messages posted on her Facebook wall.

The SCA, 18 U.S.C. § 2701, is part of the Electronic Communications Privacy Act (ECPA) of 1986. The SCA forbids unlawful access to stored communications, that is,“(1)intentionally access[ing]s without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceed[ing] an authorization to access that facility.”

According to the Ehling court, Facebook wall posts are indeed electronic communications as defined by 18 U.S.C. § 2510(12) that is,“any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”

Facebook’s users transmit data over the Internet, from their devices to Facebook’s servers, and thus their posts are electronic communications within the meaning of the SCA. No new issue here. The New Jersey court cited the 2010 Central District Court of California case, Crispin v. Audigier, which stated that Facebook and MySpace were electronic communications providers. Again, nothing new.

Finally, Facebook posts are saved on its servers indefinitely, thus backing them up. Therefore, Facebook wall posts are in electronic storage within the meaning of the SCA, 18 U.S.C. § 2510(17)(B), which defines the storage of electronic communications for purposes of backing them up. We are all set, the SCA applies in this case.

Public Electronic Communications/Private Electronic Communications

The controversial issue was instead whether Plaintiff’s Facebook posts were public or private. This is important, as the ECPA only protects private communications. The Ninth Circuit had noted in the 2002 case Konop v. Hawaaiian Airlines, Inc. that “the legislative history of the [SCA} suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards.”

But a completely public BBS is not protected by the SCA. Indeed, the SCA legislator wrote that:

the bill does not for example hinder the development or use of electronic bulletin boards or other similar services where the availability of information about the service, and the readily accessible nature of the service are widely known and the service does not require any special access code or warning to indicate that the information is private. To access a communication in such a public system is not a violation of the Act, since the general public has been ‘authorized’ to do so by the facility provider”. (S. REP. NO. 99-541, at 36)

Konop was cited in Crispin v. Audigier, where the court reasoned that “there is no basis for distinguishing between a restricted-access BBS and a user’s Facebook wall or MySpace comments.” The New Jersey District court cited Audigier to conclude that non-public Facebook wall postings are covered by the SCA.

As the privacy settings of Plaintiff’s Facebook account prevented non-Facebook friends to access the messages on her wall, these messages were not really “public” and therefore the SCA applied to them. However, the authorized user exception of the SCA applied in this case.

Why the SCA’s Authorized User Applied in this Case

There is no liability under the SCA if access “[is] authorized … by a user of that service with respect to a communication of or intended for that user,” 18 U.S.C. § 2701(c)(2).

The court cited its own 2009 Pietrylo v. Hillstone Rest. Grp. case which had found that there is no violation of the SCA if the access to an electronic communication has been authorized. In the Pietrylo case, the manager of a restaurant had accessed the MySpace account of an employee, accessible only by invitation, by asking another employee to provide him the password. In Ehling, one of Plaintiff’s colleagues had voluntarily forwarded the electronic communication to the employer “without any coercion or pressure.” Therefore, the access was authorized. The difference is there, asking/coercing for access, or learn about the communication from an unsolicited third party.

Take away

Case law is consistent in this issue. While employers should not coerce or pressure employees to provide them access to the social media account of another employee, it is not illegal for them, under the SCA, to access a social media post if a third party willingly shares this information with them.

As for providing access to one’s own social media account to one’s employer, New Jersey recently enacted a law prohibiting employers to ask for user names, passwords, or other means for accessing employee’s electronic communications devices. Several states have similar laws, but New York is not one of them yet.

Image is Facebook wall courtesy of Flickr user Marcin Wichary pursuant to a CC BY 2.0 license.

 

Facebooktwitterredditpinterestlinkedinmailby feather