the_growing_importance_of_terms_addressi_

advertisement
The Growing Importance of Terms Addressing Cybersecurity and
Law Enforcement Data Gathering
Risks associated with turning over, or failing to turn over, information to law
enforcement or in response to a civil litigation subpoena: Communications Assistance
with Law Enforcement Act (CALEA) and other legal requirements; lessons from recent
cases
Overview
I. Communications for Law Enforcement Act of 1994
(CALEA)
II. Electronic Communications Privacy Act (ECPA)
III. Consequences of Refusal/Compliance with Law
Enforcement Data Requests
IV. Importance of Contract Terms with Regards to
Law Enforcement Data Requests
I. CALEA
Communications Assistance for Law Enforcement Act (“CALEA”), Pub. L.
No. 103-414, 108 Stat. 4279 (codified at 47 U.S.C. §§ 1001-1010):
• Intended to preserve the ability of law enforcement agencies to use
wiretapping by requiring telecommunications carriers to design their
systems to ensure that such wiretapping could be accomplished
• Requires telecommunications providers to assist law enforcement in
isolating “call-identifying information”
– i.e., “dialing or signaling information that identifies the origin, direction,
destination, or termination’ of a communications”
• Excludes information on the physical location of the subscriber from being
acquired by law enforcement “solely pursuant to the authority for pen
registers and trap/trace devices”
I. CALEA
CALEA applies to:
• “Entity engaged in the transmission or switching of
wire or electronic communications”
• Authorizes FCC to expand to any service that it
finds is a “ substantial replacement ” for local
exchange service
• In 2005, FCC used the substantial replacement
concept to expand CALEA to I-VoIP and Broadband
Internet Access Services
I. CALEA
FCC’s rules also require covered entities to:
• Develop internal policies and procedures to address
CALEA compliance, including record-retention
policies subject to FCC review; and
• File a certification attesting to the company ’ s
procedures and appointing a senior officer to
oversee CALEA compliance
I. CALEA
Three methods of CALEA compliance (In the Matter of
Communications Assistance for Law Enforcement Act and Broadband
Access and Services, ET Docket No. 04-295, RM-10865, Second
Report and Memorandum Opinion and Order (rel. May 12, 2006)):
• Carrier may develop its own compliance solution for its unique
network (the FCC does not provide safe harbor provisions)
• Carrier may purchase a compliance solution from vendors,
including the manufacturers of the equipment it is using to provide
service
• Carrier may purchase a compliance solution from a trusted third
party (TPP)
I. CALEA
Risks of non-compliance:
i. NSA Scandal
ii. Criminal Enforcement
iii. FCC Enforcement
iv. DOJ Enforcement
v. Team Telecom Enforcement
vi. Subscriber Enforcement
I. CALEA
i.
Enforcement Risk from NSA Scandal:
• Misconception: NSA surveillance programs moot the need
for communications service providers to comply with CALEA
• Reality: NSA programs do not replace CALEA because they
do not support criminal investigations, gather content, or
intercept in real time
• Irony: NSA programs may generate more demand for CALEA
compliance because they help identify criminal suspects
I. CALEA
ii. Enforcement by Criminal Court:
• Triggered by: failure to implement an order for lawful surveillance
• Applies to: service providers and equipment vendors
• Involves: show cause order by federal or state court under 18 U.S.C.
§ 2522(a), hearings and evidentiary submissions
• Potential liability: includes fines up to $10,000 per day for each day
of violation and/or remedial action (immediate CALEA upgrade)
• Factors: reasonable availability of alternate technologies,
compliance is reasonably achievable, nature and extent of violation;
good faith efforts to comply; degree of culpability; ability to continue
to do business; ability to pay; “other matters as justice may require”
I. CALEA
iii. Enforcement by the FCC:
• Triggered by: FBI complaint
• Applies to: service providers and equipment vendors
• Involves: notice of apparent liability under Section 229 of
Communications Act, questionnaire, evidentiary submissions,
meetings with FCC Enforcement Bureau, possible periodic reports
• Potential liability: settlement agreement (with immediate CALEA
upgrade) and/or fines
• Factors: nature and extent of violation; good faith efforts to
comply; degree of culpability; ability to continue to do business;
ability to pay
I. CALEA
iv. Enforcement by Department of Justice:
• Triggered by: Persistent non-compliance
• Applies to: service providers and equipment vendors
• Involves: civil suit in U.S. district court under 18 U.S.C. § 2522(b),
hearings and evidentiary submissions
• Potential liability: civil fine of $10,000 per day for each day of
violation and/or remedial action (immediate CALEA upgrade)
• Factors: reasonable availability of alternate technologies, whether
compliance is reasonably achievable, nature and extent of
violation; good faith efforts to comply; degree of culpability; ability
to continue to do business; ability to pay, “other matters as justice
may require”
I. CALEA
v.
Enforcement by Team Telecom:
• Triggered by: application under Section 214 of the FCC’s Rules to
serve U.S. market
• Applies to: foreign-owned service providers
• Involves: “triage” questionnaire regarding ownership, operations,
and law enforcement assistance capabilities
• Potential liability: letter of no-action, letter of assurances, or
national security agreement, which may guarantee capabilities
beyond those minimally required by CALEA
• Factors: nature and extent of risk to security of U.S.
communications
I. CALEA
vi. Enforcement by Subscribers:
• Triggered by: over-disclosure of data to law enforcement
• Applies to: service providers, equipment vendors and application
developers
• Involves: (typically) class action data privacy suit in federal or
state court under wiretap or privacy laws
• Potential liability: civil or criminal penalties, remedial action
• Factors: whether plaintiffs have standing, whether disclosure was
made with due process (e.g., court order or emergency, whether
network is equipped with CALEA safe harbor solution)
II. ECPA
Electronic Communications Privacy Act (“ECPA”), Pub. L. No. 99508,100 Stat. 1848 (codified in 18 U.S.C. §§ 1367, 2521, 2701 to
2709, 2711, 3117, 3121 to 3124, 3126 and 3127)
Includes:
• The Wiretap Act (“Title III”), as modified by the ECPA (18 U.S.C.
§§ 2510-2522)
• The Stored Communications Act (“SCA”), Title II of the ECPA
(18 U.S.C. §§ 2701-2711)
• The Pen Register and Trap and Trace Devices Act (“Pen/Trap
Act”) (18 U.S.C. §§ 3121-3127)
II. ECPA – Title III
Title III:
• General Rule: Interception and disclosure of wire, oral, or electronic
communications is prohibited (18 U.S.C. § 2511(1))
• Exceptions (18 U.S.C. § 2511(2)):
–
–
–
–
–
–
–
–
(i) expectation of privacy;
(ii) open wireless network (e.g., Wi-Fi);
(iii) Law Enforcement w/ Requisite Legal Authority;
(iv) Accidental Acquisition;
(v) Emergencies;
(vi) Computer Trespass;
(vii) Ordinary Couse of Business; and
(viii) Consent
II. ECPA – Title III
Law Enforcement Exception (18 U.S.C. § 2518): Authority to
intercept the content of messages contemporaneously with
transmission:
• “Contents” (18 U.S.C. § 2510(8)): When used w/ respect to
any wire, oral, or electronic communication, includes any
information concerning the substance, purport or meaning of
that communication.
• “Intercept” (18 U.S.C. § 2510(4)): Defined broadly as “the
aural or other acquisition of the contents of any wire,
electronic, or oral communication through the use of any
electronic, mechanical, or other device.”
II. ECPA – Title III
Legal Process (18 U.S.C. § 2516(3)): Disclosure via Title III requires a Court Order:
•
Requirements for a Court Order: Law enforcement must demonstrate probable cause that
the search will reveal evidence of criminal wrongdoing
– The court order must also specify: (i) the identity of the targeted individual; (ii) the facilities that will be
tapped; (iii) the type of communications to be intercepted; (iv) the criminal offense suspected; and (v) the
authorized period of the tap
•
•
•
•
Type of Criminal Act Required (18 U.S.C. § 2516(2)): Only certain types of felonies (e.g.,
hacking, CFAA violations)
All reasonable and normal investigative procedures must be exhausted and that the facilities
to be tapped are owned/ commonly used by the targeted individual (18 U.S.C. § 2518(1)(c))
Application must show “that the surveillance will be conducted in a way that minimizes the
interception of communications that do not provide evidence of a crime” (18 U.S.C. 2518(C))
Time Limit (18 U.S.C. § 2518(5)): The warrant is valid for no more than 30 days, but can be
extended
II. ECPA – Title III
Title III Consequences of a Violation:
• Criminal Penalties: Interception, use, or disclosure in
violation of Title III is generally punishable by imprisonment
for not more than five years and/or a fine of not more than
$250,000 for individuals and not more than $500,000 for
organizations (18 U.S.C. § 2511(4)(a))
• Civil Penalties: Victims of a Title III violation may be entitled
to equitable relief, damages (equal to the greater of actual
damages, $100/day of violation, or $10,000), punitive
damages, reasonable attorney fees, and reasonable litigation
costs (18 U.S.C. § 2520 (a),(b) & (c))
II. ECPA – Title III
Good Faith Defense (18 U.S.C. § 2520(d)) - “A good
faith reliance on:
• a court warrant or order, a grand jury subpoena, a
legislative authorization, or a statutory authorization;
• a request of an investigative or law enforcement officer
under section 2518 (7) of this title; or
• a good faith determination that section 2511 (3) or 2511
(2)(i) of this title permitted the conduct complained of; is
a complete defense against any civil or criminal action
brought under this chapter or any other law.”
II. ECPA – Title III
• Although 18 USCS § 2520 does not define “good faith”, however, there is
analogy to good faith defense allowed under 42 USCS § 1983 cases
• Defendant may invoke defense good faith reliance on court order only if he
can demonstrate:
(1) that he had subjective good faith belief that he acted legally pursuant to
court order; and
(2) that this belief was reasonable; there was sufficient testimony at trial which
if believed by jury would establish that telephone company held honest
and reasonable belief that it acted legally pursuant to court order.
Jacobson v. Rose (1978, CA9 Nev.), 92 F.2d 515,, cert den 442 US 930 (1979)
II. ECPA – SCA
Stored Communications Act:
• “Stored Communications” (18 U.S.C. § 2510(17)): “(A) any temporary,
intermediate storage of a wire or electronic communication incidental to the
electronic transmission thereof; and (B) any storage of such communication
by an electronic communication service for purposes of backup protection of
such communication.”
• Protections: Email, voicemail, another electronic communications (only
somewhat akin to that available for telephone and face-to-face
conversations under 18 U.S.C. §§ 2510-2522)
• Prohibitions: Generally bars surreptitious access to communications at
rest/storage, although it goes beyond the confines that apply to interception
II. ECPA – SCA
General Prohibitions Under Section 2701(a): It is a
federal crime to:
(1) Intentionally access w/o authorization or exceed an
authorization to access;
(2) a facility through which an electronic communication
service is provided; and
(3) thereby obtain, alter, or prevent authorized access to a
wire/ electronic communication while it is in electronic
storage in such system (18 U.S.C. § 2701(a)(1))
II. ECPA – SCA
Exceptions to Section 2701(a):
•
18 U.S.C. § 2701(c): Section 2701(a) does not apply w/ respect to conduct authorized: (1) by the person/entity
providing a providing a wire or electronic communications service; (2) by a user of that service w/ respect to a
communication of or intended for that user; or (3) in Section 2703 [requirements for gov’t access], Section
2704 [backup preservation], or 2518 [court ordered wiretapping/ electronic eavesdropping] of this title
•
18 U.S.C. § 2707(e): Good Faith Defense provided when there is a good faith reliance on:
–
–
–
•
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a
request of a governmental entity under section 2703(f) of this title) [relating to an official request for a service provider
to preserve evidence];
(2) a request of an investigative or law enforcement officer under section 2518(7) of this title [relating to emergency
wiretapping and electronic eavesdropping]; or
(3) a good faith determination that section 2511(3) of this title [relating to the circumstances under which an electronic
communications provider may divulge the contents of communication] permitted the conduct complained of is a
complete defense to any civil or criminal action brought under this chapter or any other law
18 U.S.C. § 2703(e): General immunity from civil liability for electronic communications providers – “[N]o cause
of action shall lie in any court against any provider of wire or electronic communication service, its officers,
employees, agents, or other specified persons for providing information, facilities, or assistance in accordance
with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter.”
II. ECPA – SCA
• Secondary Prohibitions Under Section 2702:
Section 2702 bans the disclosure of the content of
electronic communications and records relating to them
by those who provide the public w/ electronic
communications service/ remote computing service.
• Forbids providers to disclose:
(1) the content of certain communications to anyone [18
U.S.C. § 2702(a)(1) & (2)]; or
(2) related records to governmental entities [18 U.S.C. §
2702(a)(3)]
II. ECPA – SCA
Exceptions (18 U.S.C. § 2702(b)): Permits disclosure of the contents of a communication:
(1)
to an addressee or intended recipient of such communication or an agent of such addressee or intended
recipient;
(2)
as otherwise authorized in section 2517 [relating to disclosures permitted under Title III], 2511(2)(a)[relating
to provider disclosures permitted under Title III for protection of provider property or incidental to
service], or 2703 [relating to required provider disclosures pursuant to governmental authority] of this
title;
(3)
with the lawful consent of the originator or an addressee or intended recipient of such communication, or the
subscriber in the case of remote computing service;
(4)
to a person employed or authorized or whose facilities are used to forward such communication to its
destination;
(5)
as may be necessarily incident to the rendition of the service or to the protection of the rights or property of
the provider of that service;
(6)
to the National Center for Missing and Exploited Children, in connection with a report submitted thereto
under section 227 of the Victims of Child Abuse Act of 1990;
(7)
to a law enforcement agency—(A) if the contents—(i) were inadvertently obtained by the service
provider; and (ii) appear to pertain to the commission of a crime;
(8)
to a Federal, State, or local government entity, if the provider, in good faith, believes that an
emergency involving danger of death or serious physical injury to any person requires disclosure
without delay of communications relating to the emergency.
II. ECPA – SCA
Government Access Requirements: Generally less demanding than those
under Title III
• Two kinds of information: In the custody of the communications service
provider: (1) communications records; and (2) the content of electronic/ wire
communications
• Two avenues of law enforcement access:
– Permissible/Voluntary Provider Disclosure (18 U.S.C. § 2702)
• Inadvertent discovery of information relating to the commission of a crime (18 U.S.C. §
2702(b))
• Emergency situation (18 U.S.C. § 2702(b))
– Required Provider Access (18 U.S.C. § 2703)
• Search warrant required to compel providers to supply content of wire/electronic
communications held in electronic storage for less than 180 days (18 U.S.C. § 2703(a))
• Use of a search warrant/ subpoena/ court order to force content disclosure w/ respect to
communications held for more than 180 days (18 U.S.C. § 2703(a))
II. ECPA – SCA
Consequences of Violation of SCA:
•
Criminal:
– Serious offenses are punishable by imprisonment for not more than five years (not more than
10 years for a subsequent conviction) and/or a fine of not more than $250,000 (not more
than $500,000 for organizations);
– Lesser offenses are punishable by imprisonment for not more than one year (not more than
five years for a subsequent conviction) and/or a fine of not more than $100,000 (18 U.S.C. §
2701(b))
•
•
Civil: Victims of a violation of subsection 2701(a) have a cause of action for equitable
relief, reasonable attorneys’ fees and costs, and damages equal to the amount of any
offender profits added to the total of the victim’s losses (18 U.S.C. § 2707)
Good Faith Defense Limitations for Service Providers: Service providers are unable
to claim the benefit of one of the section’s exceptions, of the good faith defense under
subsection 2707(e), or of the immunity available under subsection 2703(e)—may be
liable for civil damages, costs and attorneys’ fees under section 2707 for any
violation of section 2702.
II. ECPA – Pen/Trap Act
The Pen/Trap Act:
•
•
•
Definitions: A trap and trace device identifies the source of incoming calls, and a pen
register indicates the numbers called from a particular instrument (18 U.S.C. § 3127(3) & (4))
Application: The Title III wiretap provisions apply when, due to the nature of advances in
telecommunications technology, pen registers and trap and trace devices are able to capture
wire communication “content.” [In re United States, 441 F.Supp.2d 816 (S.D. Tex. 2006)]
Prohibitions/ Exceptions: Subsection 3121(a) outlaws installation or use of a pen register
or trap and trace device, except under one of seven circumstances:
– (1) pursuant to a court order issued under sections 3121-3127;
– (2) pursuant to a Foreign Intelligence Surveillance Act (FISA) court order;
– (3) with the consent of the user;
– (4) when incidental to service;
– (5) when necessary to protect users from abuse of service;
– (6) when necessary to protect providers from abuse of service; or
– (7) in an emergency situation
II. ECPA – Pen/Trap Act
• Government Access: Officials may apply for a court order authorizing the
installation and use of a pen register and/or a trap and trace device upon
certification that the information that it will provide is relevant to a pending
criminal investigation (18 U.S.C. § 3122)
• Court Order Requirements:
– (1) specify (i) the person upon whose telephone line the device is to be
installed, (ii) the person who is the subject of the criminal investigation, (iii) the
telephone number, the location of the line to which the device is to be attached,
and geographical range of the device, and (iv) a description of the crime to
which the investigation relates;
– (2) upon request, direct carrier assistance under section 3124;
– (3) terminate within 60 days, unless extended;
– (4) involve a report of particulars of the order’s execution in Internet cases; and
– (5) impose necessary nondisclosure requirements (18 U.S.C. § 3123)
II. ECPA – Pen/Trap Act
Consequences of Violation of Pen/Trap Act:
• Criminal: Punishable by imprisonment for not more
than a year and/or a fine of not more than $100,000
($200,000 for an organization) (18 U.S.C. §§ 3121(d),
3571)
• Good Faith Defense: Subsection 3124(e) creates a
good faith defense for reliance upon a court order
under subsection 3123(b), an emergency request under
subsection 3125(a), “a legislative authorization, or a
statutory authorization.” (18 U.S.C. § 3124(e))
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
• Consequences of Refusal of Subpoena/ Search
Warrant/ Court Order:
– Contempt of court
– Fines
– Jail
– Forced Suspension of business (e.g., Lavabit)
• Compliance with Law Enforcement Request may
even lead to Civil Litigation (but there’s a statutory
affirmative defense)
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
Civil Litigation and the Section 2520(d) Good Faith
Defense:
• McCready v. eBay, Inc., 453 F3d 882 (7th Cir. 2006)
– Facts: McCready brought action against Internet sales
service and numerous users of service alleging violations of
Fair Debt Collection Practices Act (FDCPA), Fair Credit
Reporting Act (FCRA), Bankruptcy Code, and Electronic
Fund Transfers Act (EFTA).Court orders Ebay to produce
documentation on plaintiff related to lawsuit. McCready sues
Ebay for violation of the ECPA.
– Holding: Corporation’s good faith reliance on subpoena was
complete defense to individual’s actions under the ECPA.
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
Civil Litigation and the Section 2707(e)(1) Good Faith Defense:
• Freedman v. AOL, Inc., 325 F.Supp.2d 638 (E.D. Va. 2004):
– Facts: Subscriber brought action against AOL under SCA on the ground that AOL
wrongfully disclosed plaintiff's subscriber information to law enforcement in response to
a warrant application that had not been signed by a judge.
– Holding: Court held that a genuine issue of fact existed as to the reasonableness of
AOL’s good faith defense because it was disputable that AOL should have known that
warrant was invalid.
• Fox v. CoxCom Inc., No. CV-11-594-PHX-SMM, (D. Ariz. 2012):
– Facts: CoxCom received a grand jury subpoena ordering the company to produce
information on plaintiff, which was handled by CoxCom’s “Subpoena Compliance
Office.” Plaintiff sued for violated of the SCA.
– Holding: Court granted summary judgment in favor of CoxCom, Inc. stating that service
provider had a good faith reliance on the subpoena due to CoxCom’s evidence of
established procedures in responding to such data requests that were adequately
applied in this situation.
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
Criminal Prosecution and the Implied Defense Under Section 2511(2)(a)(ii):
•
Litigation Under Section 2511(2)(a)(ii): If a plaintiff alleges that defendant cooperated
improperly with law enforcement officials in violation of Section 2511(2)(a)(ii), the Senate
Judiciary Committee Report (Senate Rpt. No. 99-541 at 26-27) explains how such cases
should be litigated:
– (1) The complaint must allege that a wire or electronic communications service provider
(or one of its employees): (a) disclosed the existence of a wiretap; (b) acted without
a facially valid court order or certification; (c) acted beyond the scope of a court
order or certification; or (d) acted on bad faith. Acting in bad faith would include
failing to read the order or collusion. If the complaint fails to make any of these
allegations, the defendant can move to dismiss the complaint for failure to state a claim
upon which relief can be granted.
– (2) If during the course of pretrial discovery the plaintiff's claim proves baseless, the
defendant can move for summary judgment.
– (3) If the court denies the summary judgment motion, the case goes to trial. At the close
of the plaintiff's case, the defendant again can move for dismissal. If that motion is
denied, the defendant then has the opportunity to present to the jury its section 2520
good faith defense.
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
• Marshall v. Willner, No. 3:06-CV-665 (W.D.Ky. 2007):
– Holding that telephone companies and individual employees of those entities, were
exempt from liability under § 2511(2)(a)(ii) if, as the plaintiff alleged, they were
presented with an order from the FBI permitting a wiretap, regardless of whether the
order was obtained in violation of the law, and stating that “[t]o hold otherwise would
place service providers, like Defendants, and their employees in the precarious
situation of risking potential liability for following what appear to be valid court orders.”
• Bansal v. Microsoft Hotmail, 267 F. App'x 184, 185 (3d Cir. 2008):
– “Like the SCA, the Crime Control Act exempts ‘providers of ... electronic communication
services” from liability if they have disclosed information pursuant to a court order.’ 18
U.S.C. § 2511(2)(a)(ii) . . . Because Microsoft Hotmail disclosed the contents of
Bansal's emails pursuant to a court order, it cannot be liable under the statute.”
III. Consequences of Refusal/Compliance
with Law Enforcement Data Requests
Discovery in Civil Proceedings: In a number of cases, courts have held that there is no civil subpoena exception to
ECPA that permits the disclosure of the content of communications:
•
O'Grady v. Superior Court, 139 Cal.App.4th 1423 (Cal. Ct. of Appeal 2006):
–
–
•
In re Subpoena Duces Tecum to AOL, LLC, 550 F.Supp.2d 606 (E.D. Va. 2008):
–
–
•
Facts: Computer manufacturer filed action against Web site publishers alleging they published confidential
company information about an impending product, and seeking to identify the source of the disclosures.
Holding: “Since the Act makes no exception for civil discovery and no repugnancy has been shown between a
denial of such discovery and congressional intent or purpose, the Act must be applied, in accordance with its
plain terms, to render unenforceable the subpoenas seeking to . . . disclose the contents of emails stored
on [the service provider’s] facilities.”
Facts: Non-party witnesses in an action pending in another district moved to quash a subpoena duces tecum
issued to their Internet service provider, seeking production of the witnesses' emails.
Holding: “the issuance of a civil discovery subpoena is not an exception to the provisions of the Privacy
Act that would allow an internet service provider to disclose the communications at issue here.”
But see, Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008):
–
–
Facts: In civil action, defendant city and one individual defendant moved to prevent discovery of communications
exchanged among certain officials and employees of the city via city-issued text messaging devices retained by
non-party service provider.
Holding: The SCA did not preclude civil discovery of city's relevant, nonprivileged electronically stored
communications that were maintained by a non–party service provider but remained within the city's
control.
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
• Discussion of how/ when companies disclose
information to law enforcement vary widely between
company privacy policies
– Examples:
•
•
•
•
•
Google
Facebook
Comcast
AT&T
Verizon
• DOJ recently permitted companies to disclose
statistical information concerning disclosure of
information to the federal government
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
Google’s Privacy Agreement (https://www.google.com/intl/en/policies/privacy/
(last modified Dec. 30, 2013)):
• “Information we share: We do not share personal information with
companies, organizations and individuals outside of Google unless one of
the following circumstances applies: . . .
– For legal reasons
• We will share personal information with companies, organizations or individuals outside
of Google if we have a good-faith belief that access, use, preservation or disclosure of
the information is reasonably necessary to:
• meet any applicable law, regulation, legal process or enforceable governmental
request.
• enforce applicable Terms of Service, including investigation of potential violations.
• detect, prevent, or otherwise address fraud, security or technical issues.
• protect against harm to the rights, property or safety of Google, our users or the public
as required or permitted by law.”
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
Facebook’s Data Use Policy (https://www.facebook.com/about/privacy/other (Last modified Nov.
15, 2013)) :
“Responding to legal requests and preventing harm: We may access, preserve and share
your information in response to a legal request (like a search warrant, court order or subpoena)
if we have a good faith belief that the law requires us to do so. This may include responding
to legal requests from jurisdictions outside of the United States where we have a good faith
belief that the response is required by law in that jurisdiction, affects users in that jurisdiction,
and is consistent with internationally recognized standards. We may also access, preserve and
share information when we have a good faith belief it is necessary to: detect, prevent and
address fraud and other illegal activity; to protect ourselves, you and others, including as part of
investigations; or to prevent death or imminent bodily harm. Information we receive about you,
including financial transaction data related to purchases made with Facebook, may be
accessed, processed and retained for an extended period of time when it is the subject of
a legal request or obligation, governmental investigation, or investigations concerning
possible violations of our terms or policies, or otherwise to prevent harm. We also may
retain information from accounts disabled for violations of our terms for at least a year to prevent
repeat abuse or other violations of our terms.”
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
Comcast Xfinity’s Web Services Privacy Policy
(http://xfinity.comcast.net/privacy/2014-01/ (Effective Jan. 23, 2014)):
• “13. Disclosures of Information: Comcast holds customer privacy in the
highest regard and we make every reasonable effort to protect your privacy
as described in this Privacy Policy. Nevertheless, we may be required by
law to disclose Personally Identifiable Information or other information about
you or other users of the Comcast Web Services. These disclosures may
be made with or without your consent, and with or without notice, in
compliance with the terms of a subpoena, court order, search warrant,
or other valid legal process. We may also disclose information about you
or users of the Comcast Web Services when we believe in good faith that
the disclosure of information is necessary to prevent financial loss,
address suspected illegal activity, protect our rights or property, or prevent
imminent physical harm.”
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
AT&T’s Privacy Policy (http://www.att.com/gen/privacy-policy?pid=13692#menu
(Effective Sept. 16, 2013)):
• “Some examples of who we share your Personal Information with:
– Across AT&T companies to give you the best customer experience and to help you get
everything we have to offer.
– With other companies that perform services on our behalf only as needed for them to
perform those services. We require them to protect your information consistent with our
Policy.
– With other companies and entities, to:
•
•
•
•
•
Respond to 911 requests and other emergencies or exigencies;
Comply with court orders and other legal process;
Assist with identity verification, and preventing fraud and identity theft;
Enforce our agreements and property rights; and
Obtain payment for products and services including the transfer or sale of delinquent accounts to
third parties for collection”
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
Verizon’s Privacy Policy (http://www.verizon.com/about/privacy/policy/ (Last modified Jan.
2014)):
•
“ Information Shared Outside the Verizon Family of Companies: . . . We may disclose
information that individually identifies our customers or identifies customer devices in certain
circumstances, such as:
– to comply with valid legal process including subpoenas, court orders or search warrants, and as
otherwise authorized by law;
– in cases involving danger of death or serious physical injury to any person or other emergencies;
– to protect our rights or property, or the safety of our customers or employees;
– to protect against fraudulent, malicious, abusive, unauthorized or unlawful use of or subscription to our
products and services and to protect our network, services, devices and users from such use;
– to advance or defend against complaints or legal claims in court, administrative proceedings and
elsewhere;
– to credit bureaus or collection agencies for reporting purposes or to obtain payment for Verizon-billed
products and services;
– to a third-party that you have authorized to verify your account information;
– to outside auditors and regulators; or
– with your consent.”
IV. Importance of Contract Terms Regarding
Law Enforcement Litigation Gathering
DOJ’s Agreement with Google, Facebook, LinkedIn, etc. re Reporting Gov’t Requests for Customer Data (Jan. 27,
2014):
• “The government is now providing two alternative ways in which companies may inform their
customers about requests for data . . .
• Option One. A provider may report aggregate data in the following separate categories:
–
–
–
–
–
–
–
•
Option Two. In the alternative, a provider may report aggregate data in the following separate categories:
–
–
–
•
Criminal process, subject to no restrictions.
The number of NSLs received, reported in bands of 1000 starting with 0-999.
The number of customer accounts affected by NSLs, reported in bands of 1000 starting with 0-999.
The number of FISA orders for content, reported in bands of 1000 starting with 0-999.
The number of customer selectors targeted under FISA content orders, in bands of 1000 starting with 0-999.
The number of FISA orders for non-content, reported in bands of 1000 starting with 0-999.
The number of customer selectors targeted under FISA non-content orders, in bands of 1000 starting with 0-999.
Criminal process, subject to no restrictions.
The total number of all national security processes received, including all NSLs and FISA orders, reported as a single number in the
following bands: 0-249 and thereafter in bands of 250.
The total number of customer selectors targeted under all national security process, including all NSLs and FISA orders, reported as
a single number in the following bands, 0-249, and thereafter in bands of 250.
Other Stipulations:
–
–
Provider may publish the FISA and NSL numbers every six months
FISA info – six month delay between publication date and period covered by the report
Conclusion
• Companies should not automatically assume they
must provide information in response to a subpoena
if that information may be protected
• Management should evaluate the risk of disclosing
the information, and the potential consequences of
doing so, against the risks of withholding the
information
Download