For Now, Emails Stored on Foreign Servers Are Immune to Warrant Searches

On July 14, 2016, the Second Circuit Court of Appeals ruled in the potentially groundbreaking Microsoft v. United States case that the federal government cannot compel companies to turn over emails stored on servers located outside the United States. In today’s border-shrinking digital world, the Second Circuit’s ruling raises a slew of questions (that will no doubt be litigated extensively in the coming years) and more than a few concerns.

In December 2013, the United States government sought to execute a search warrant pursuant to Section 2703(a) of the Stored Communications Act (“the “SCA”) to seize the contents of an email account of a suspected participant in a narcotics ring, which was stored on Microsoft’s servers in Ireland. Microsoft refused to turn over the extraterritorial emails, and was held in contempt for failing to comply with a search warrant.

Initially, the Southern District of New York ruled that Section 2703 of the SCA applies extraterritorially, and ordered Microsoft to release the sought-after emails. On appeal, however, the Second Circuit held that Section 2703 of the SCA “does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.”

In reversing the district court, even after noting the presumption against extraterritoriality, the Second Circuit relied heavily upon the fact that the SCA, passed in 1986, was drafted when computers were in their infancy, foreign-communicating servers did not exist, and very few lawmakers were familiar with the concept of the Internet. The Second Circuit also found persuasive the fact that the SCA’s warrant provision that allows the government to require disclosure of electronically stored communications, like any other search warrant and unlike subpoenas, is restricted by the Fourth Amendment to domestic applications only.

In the concurrence to the Microsoft opinion, the Second Circuit acknowledges that the SCA does not protect emails and other information stored on domestic servers. In fact, the Court notes, nothing prevents private companies from transferring electronically stored communications stored on foreign servers to American-based servers with the click of a button, which would give the federal government the opportunity to execute a properly obtained search warrant lawfully.

At minimum, this case signals to Congress the urgent need to updated outdated statutes like the SCA that have been rendered obsolete by decades of warp-speed technological breakthroughs and advancement. In 1986, the concept of cloud storage, extraterrestrial servers and fast-speed internet was the stuff of science fiction novels. Today, such technology is used by virtually every business and by a large percentage of the world’s population. The Second Circuit has signaled to Congress that the time to weigh privacy interests against the government’s legitimate need for evidence is now.

FCC Fines Prompt AT&T to “Zealously Guard” Customers’ Personal Information

On April 8, 2015, the Federal Communications Commission (“FCC”) announced its largest ever data security settlement requiring AT&T to pay $25 million to resolve an investigation into data security breaches at its call centers in the Philippines, Mexico, and Colombia. AT&T’s privacy violations involved the unauthorized disclosure of the names, full or partial Social Security Numbers, and other protected customer proprietary network information (“CPNI”) of nearly 280,000 U.S. customers.

The initial focus of the FCC’s investigation was a 168-day long breach beginning in November 2013 at AT&T’s call center in Mexico where thousands of customer accounts were accessed and sold without authorization. The buyers, who were likely trafficking stolen cell phones, submitted nearly 291,000 handset unlock requests to AT&T’s Mexico call center. Similar breaches occurred in Columbia and the Philippines, where a combined total of approximately 211,000 customer accounts were accessed without authorization.

In response, the FCC brought charges of violations of Sections 222 and 201(b) of the Communications Act (the “Act”) against AT&T for failure to timely report the breaches. Section 222 of the Act requires companies like AT&T to take every reasonable precaution to protect customer data, including CPNI, and to take reasonable measures to discover and report attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.” Section 201(b) of the Act prohibits unjust and unreasonable practices.

4-28AT&T notified law enforcement of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation, and several months after the actual breach. In an effort to mitigate the breach, AT&T notified victims of the breach and the California Attorney General, terminated its relationship with the Mexico call center, mandated the uniform use of partial social security numbers in all call centers, and developed new customer account monitoring and phone access/unlock policies.

The FCC settlement also mandates the implementation of a permanent, strict compliance plan that requires AT&T to:

  1. designate a senior compliance manager who is a certified privacy professional;
  2. complete a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
  3. implement an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
  4. prepare a compliance manual to be distributed to all covered employees and vendors; and
  5. regularly train employees on its privacy policies and applicable privacy legal authorities.

AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.

The FCC has taken the position that phone companies are expected to “zealously guard” their customers’ personal information and that the FCC “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” This position tracks the trend of active enforcement of consumer data security breaches over the past year. To that end, companies in possession of CPNI and other protected customer information should heed the Agreement and “look to [it] as guidance” for protecting customer information and avoiding liability under Sections 222 and 201(b) of the Act.

We expect that other telephone companies/carriers will continue to evolve and implement heightened security measures in response to this settlement, and the FCC will surely investigate those companies who are not in compliance.

Image courtesy of Flickr by Michael Weinberg

FTC Approves Final Order Requiring Snapchat to Implement a Stronger Privacy Policy

The Federal Trade Commission (FTC) recently approved a final order settling charges against Snapchat, Inc. (Snapchat), the developer of a mobile application that allows users to exchange impermanent photographs, referred to by Snapchat as “snaps” (the “FTC order”).

When Snapchat was launched in May 2012, users were sending approximately twenty-five snap images per second.  By November 2013, that figure surged to nearly four hundred million snaps per day, and continues to grow.  Many attribute Snapchat’s immense popularity to the intuitive user interface, the scarcity effect tied to the vanishing snaps, and Snapchat’s promise that images and video sent through the application would be irretrievably destroyed and not digitally archived after viewing.

In May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat deceptively mislead consumers to believe that snaps would be destroyed within seconds of viewing when, in fact, they are stored on users’ phones in a relatively accessible form and can be easily captured by way of “screen-shotting” the image.  EPIC further claimed that Snapchat failed to establish and enforce security measures to protect user data.

The FTC order settles EPIC’s allegations and forbids Snapchat from misrepresenting (1) the extent to which a snap is deleted after being viewed; (2) the extent to which Snapchat is capable of detecting or notifying senders when a recipient has saved a snap; and (3) the steps taken by Snapchat to protect against misuse of user information.

The final order also directs Snapchat to implement a privacy program that will be monitored for the next twenty years.  Additionally, Snapchat agreed to revise its privacy policy to address privacy risks and to protect the confidentiality of information about its users, including names, addresses, online contact information, telephone numbers, IP addresses, geo-location, usernames, and passwords.  The revised Snapchat privacy policy now provides that Snapchat “can’t guarantee that messages will be deleted within a specific timeframe” and that, even after a snap is deleted from Snapchat’s server, it “may remain in backup for a limited period of time.”  Snapchat also now warns that, “there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted.”

The final order furthers the FTC’s recent efforts to ensure that companies in the post smart phone era describe mobile applications truthfully and uphold privacy promises to end users.  The approval of the final order could well inspire other applications like Slingshot (Facebook’s answer to Snapchat), and Whisper and Secret (applications that allow users to make anonymous confessions) that promise anonymity and privacy to reassess the way in which current privacy policies are drafted and enforced.

Image courtesy of Wikimedia Commons