Constitutional Law

The StingRay You’ve Never Heard Of: How One of the Most Effective Tools in Law Enforcement Operates Behind a Veil of Secrecy

Dan O’Dea, MJLST Staffer

One of the most effective investigatory tools in law enforcement has operated behind a veil of secrecy for over 15 years. “StingRay” cell phone tower simulators are used by law enforcement agencies to locate and apprehend violent offenders, track persons of interest, monitor crowds when intelligence suggests threats, and intercept signals that could activate devices. When passively operating, StingRays mimic cell phone towers, forcing all nearby cell phones to connect to them, while extracting data in the form of metadata calls, text messages, internet traffic, and location information, even when a connected phone is powered off. They can also inject spying software into phones and prevent phones from accessing cellular data. StingRays were initially used overseas by federal law enforcement agencies to combat terrorism, before spreading into the hands of the Department of Justice and Department of Homeland Security, and now are actively used by local law enforcement agencies in 27 states to solve everything from missing persons cases to thefts of chicken wings.

The use of StingRay devices is highly controversial due to their intrusive nature. Not only does the use of StingRays raise privacy concerns, but tricking phones into connecting to StingRays mimicking cell phone towers prevent accessing legitimate cell phone service towers, which can obstruct access to 911 and other emergency hotlines. Perplexingly, the use of StingRay technology by law enforcement is almost entirely unregulated. Local law enforcement agencies frequently cite secrecy agreements with the FBI and the need to protect an investigatory tool as a means of denying the public information about how StingRays operate, and criminal defense attorneys have almost no means of challenging their use without this information. While the Department of Justice now requires federal agents obtain a warrant to use StingRay technology in criminal cases, an exception is made for matters relating to national security, and the technology may have been used to spy on racial-justice protestors during the Summer of 2020 under this exception. Local law enforcement agencies are almost completely unrestricted in their use of StingRays, and may even conceal their use in criminal prosecutions by tagging their findings as those of a “confidential source,” rather than admitting the use of a controversial investigatory tool. Doing so allows prosecutors to avoid  battling 4th amendment arguments characterizing data obtained by StingRays as unlawful search and seizure.

After existing in a “legal no-man’s land” since the technology’s inception, Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-HI) sought to put an end to the secrecy of StingRays through introducing the Cell-Site Simulator Warrant Act of 2021 in June of 2021. The bill would have mandated that law enforcement agencies obtain a warrant to investigate criminal activity before deploying StingRay technology while also requiring law enforcement agencies to delete data of phones other than those of investigative targets. Further, the legislation would have required agencies to demonstrate a need to use StingRay technology that outweighs any potential harm to the community impacted by the technology. Finally, the bill would have limited authorized use of StingRay technology to the minimum amount of time necessary to conduct an investigation. However, the Cell-Site Simulator Warrant Act of 2021 appears to have died in committee after failing to garner significant legislative support.

Ultimately, no device with the intrusive capabilities of StingRays should be allowed to operate free from the constraints of regulation. While StingRays are among the most effective tools utilized by law enforcement, they are also among the most intrusive into the privacy of the general public. It logically follows that agencies seeking to operate StingRays should be required to make a showing of a need to utilize such an intrusive investigatory tool. In certain situations, it may be easy to establish the need to deploy a StingRay, such as doing so to further the investigation of a missing persons case. In others, law enforcement agencies would correctly find their hands tied should they wish to utilize a StingRay to catch a chicken wing thief.


Inconceivable! How the Fourth Amendment Failed the Dread Pirate Roberts in United States v. Ulbricht

Emily Moss, MJLST Staffer

It is not an overstatement to claim that electronic devices, such as laptop and smart phones, have “altered the way we live.” As Chief Justice Roberts stated, “modern cell phones . . . are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” Riley v. California, 573 U.S. 373, 385 (2014). These devices create new digital records of our everyday lives. United States v. Ulbricht, 858 F.3d 71 (2d Cir. 2017) is one of many cases that grapple with when the government should gain access to these records.

In February 2015, a jury found Ross William Ulbricht (aka “Dread Pirate Roberts” or “DPR”) guilty on seven counts related to his creation and operation of Silk Road. United States v. Ulbricht, 858 F.3d 71, 82 (2d Cir. 2017). Silk Road was an online criminal marketplace where, using the anonymous currency Bitcoin, “users principally bought and sold drugs, false identification documents, and computer hacking software.” Id. Government trial evidence showed that, hoping to protect Silk Road anonymity, DPR commissioned the murders of five people. Id. at 88. However, there is no evidence that the murders actually transpired. Id.

On appeal, the Second Circuit upheld both the conviction and Ulbricht’s two-life sentence. Ulbricht, 858 F.3d at 82. Ulbricht argued, inter alia, that “the warrant[] authorizing the government to search his laptop . . . violated the Fourth Amendment’s particularity requirement.” Id. at 95. The warrant authorized “opening or ‘cursorily reading the first few’ pages of files to ‘determine their precise contents,’ searching for deliberately hidden files, using ‘key word searches through all electronic storage areas,’ and reviewing file ‘directories’ to determine what was relevant.” Id. at 101–02. Ulbricht claimed that the warrant violated the Fourth Amendment’s particularity requirement because it “failed to specify the search terms and protocols” that the government was required to employ while searching Ulbricht’s laptop. Id. at 102.

The court acknowledged that particularity is especially important when the warrant authorizes the search of electronic data, as the search of a computer can expose “a vast trove of personal information” including “sensitive records.” Id. at 99. It noted that “a general search of electronic data is an especially potent threat to privacy because hard drives and e-mail accounts may be ‘akin to a residence in terms of the scope and quantity of private information [they] may contain’ . . . Because of the nature of digital storage, it is not always feasible to ‘extract and segregate responsive data from non-responsive data,’. . . creating a ‘serious risk that every warrant for electronic information will become, in effect, a general warrant.’” Id. (internal citations omitted).

Nonetheless, the court rejected Ulbricht’s claim that the laptop warrant failed to meet the Fourth Amendment’s particularity requirement. It reasoned that it would be impossible to identify how relevant files would be named before the laptop search began, which the government reasonably anticipated when requesting the laptop warrant. Id. at 102 (emphasizing examples where relevant files and folders had misleading names such as “aliaces” or “mbsobzvkhwx4hmjt”). Further, the court held that broad search protocols were appropriate given that the alleged crime involved sophisticated technology and masking identity. Id. Ultimately, the court emphasized that the “fundamental flaw” in Ulbricht’s argument was that it equated a broad warrant with a violation of the particularity requirement. Id. Using the analogy of searching an entire home where there is probable cause to believe that there is relevant evidence somewhere in the home, the court illustrated that a warrant can be both broad and still satisfy the particularity requirement. Id. (citing U.S. Postal Serv. v. C.E.C. Servs., 869 F.2d 184, 187 (2d Cir. 1989)). The court therefore upheld the constitutionality of the warrant. The Supreme Court denied Ulbrich’s writ of certiorari.

Orin Kerr’s equilibrium adjudgment theory of the Fourth Amendment argues that as new tools create imbalanced power on either the side of privacy or the side of law enforcement, the Fourth Amendment must adjust to restore its original balance. The introduction of computers and the internet created an immense change in the tools that both criminals and law enforcement use. Without minimizing the significance of Ulbricht’s crimes, United States v. Ulbricht illustrates this dramatic change. While computers and the internet did create new avenues for crime, computer and internet searches—such as the ones employed by the government—do far more to disrupt the Fourth Amendment’s balance.

Contrary to the court’s argument in Ulbricht, searching a computer is entirely unlike searching a home. First, it is easy to remove items from your home, but the same is not true of computers. Even deleted files often linger on computers where the government can access them. Similarly, when law enforcement finds a file in someone’s home, it still does not know how that file was used, how often it has been viewed, or who has viewed it. But computers do store such information. These, and many other differences demonstrate why particularity, in the context of computer searches, is even more important than the court in UIlbricht acknowledged. Given the immense amount of information available on an individual’s electronic devices, Ulbricht glosses over the implications for personal privacy posed by broad search warrants directed at computers. And with the rapidly changing nature of computer technology, the Fourth Amendment balance will likely continue to stray further from equilibrium at a speed with which the courts will struggle to keep up.

Thus, adjusting the Fourth Amendment power balance related to electronic data will continue to be an important and complicated issue. See, e.g., Proposal 2 Mich. 2020) (amending the state’s constitution “to require a search warrant to access a person’s electronic data or electronic communications,” passing with unanimous Michigan Senate and House of Representative approval, then with 88.8% of voters voting yes on the proposal); People v. Coke, 461 P.3d 508, 516 (Colo. 2020) (“‘Given modern cell phones’ immense storage capacities and ability to collect and store many distinct types of data in one place, this court has recognized that cell phones ‘hold for many Americans the privacies of life’ and are, therefore, entitled to special protections from searches.”) (internal citations omitted). The Supreme Court has ruled on a number of Fourth Amendment and electronic data cases. See, e.g., Carpenter v. United States, 138 S.Ct. 2206 (2018) (warrantless attainment of cell-site records violates the Fourth Amendment); Riley v. California, 134 S.Ct. 2473 (2014) (warrantless search and seizure of digital contents of a cell phone during an arrest violates the Fourth Amendment). However, new issues seem to appear faster than they can be resolved. See, e.g., Nathan Freed Wessler, Jennifer Stisa Granick, & Daniela del Rosario Wertheimer, Our Cars Are Now Roving Computers. Is the Fourth Amendment Ready?, ACLU (May 21, 2019, 3:00 PM), https://www.aclu.org/blog/privacy-technology/surveillance-technologies/our-cars-are-now-roving-computers-fourth-amendment. The Fourth Amendment therefore finds itself in eel infested waters. Is rescue inconceivable?

Special thanks to Professor Rozenshtein for introducing me to Ulbricht and inspiring this blog post in his course Cybersecurity Law and Policy!


The “Circuit Split” That Wasn’t

Sam Sylvan, MJLST Staffer

Earlier this year, the Fourth Circuit punted on an opportunity to determine the constitutional “boundaries of the private search doctrine in the context of electronic searches.” United States v. Fall, 955 F.3d 363, 371 (4th Cir. 2020). The private search doctrine, crafted by the Supreme Court in the 80’s, falls under the Fourth Amendment’s umbrella. The doctrine makes it lawful for law enforcement to “search” something that was initially “searched” by a private third party, because the Fourth Amendment is “wholly inapplicable to a search or seizure, even an unreasonable one, effected by a private individual not acting as an agent of the Government or with the participation or knowledge of any government official.” United States v. Jacobsen, 466 U.S. 109, 113 (1984).

An illustration: Jane stumbles upon incriminating evidence on John’s laptop that implicates John in criminal activity (the “initial private search”), Jane shows the police what she found on the laptop (the “after-occurring” search), and the rest is history for John. But for law enforcement’s after-occurring search to avoid violating the Fourth Amendment, its search must not exceed the scope of the initial private search. “The critical measures [to determine] whether a governmental search exceeds the scope of the private search that preceded it,” United States v. Lichtenberger, 786 F.3d 478, 485 (6th Cir. 2015), include whether “there was a virtual certainty that nothing else of significance was in the [property subjected to the search]” and whether the government’s search “would not tell [law enforcement] anything more than [it] already had been told” or shown by the private searcher. Jacobsen, 466 U.S. at 119.

Of course, the Supreme Court’s holdings from the 80’s that speak to the scope of the Fourth Amendment are often difficult to reconcile with modern-day Fourth Amendment fact patterns that revolve around law enforcement searches of modern electronic devices (laptops; smartphones; etc.). In the key Supreme Court private search doctrine case, Jacobsen (1984), the issue was the constitutionality of a DEA agent’s after-occurring search of a package after a FedEx employee partially opened the package (upon noticing that it was damaged) and saw a white powdery substance.

Since the turn of the millennium, courts of appeals have stretched to apply Jacobsen to rule on the private search doctrine’s application to, and scope of, law enforcement searches of electronics. In 2001, the Fifth Circuit addressed the private search doctrine in a case where the defendant’s estranged wife took a bunch of floppy disks, CDs, and zip disks from the defendant’s property. She and her friend then discovered evidence of defendant’s criminal activity on those disks while searching some of them and turned the collection over to the police, which led to the defendant’s conviction. United States v. Runyan, 275 F.3d 449 (5th Cir. 2001).

There are two crucial holdings in Runyan regarding the private search doctrine. First, the court held that “the police exceeded the scope of the private search when they examined the entire collection of ‘containers’ (i.e., the disks) turned over by the private searchers, rather than confining their [warrantless] search to the selected containers [that were actually] examined by the private searchers.” Id. at 462. Second, the court held that the “police search [did not] exceed[] the scope of the private search when the police examine[d] more items within a particular container [i.e., a particular disk] than did the private searchers” who searched some part of the particular disk but not its entire contents. Id. at 461, 464. Notably absent from this case: a laptop or smartphone.

Eleven years after Runyan, the Seventh Circuit held that the police did not exceed the scope of the private searches conducted by a victim and her mother. Rann v. Atchison, 689 F.3d 832 (7th Cir. 2012) (relying heavily on Runyan). In Rann, the police’s after-occurring search included viewing images (on the one memory card brought to them by the victim and the one zip drive brought to them by the victim’s mother) that the private searchers themselves had not viewed. Id. Likening computer storage disks to containers (as the Runyan court did), the Rann court concluded “that a search of any material on a computer disk is valid if the private [searcher] viewed at least one file on the disk.” Id. at 836 (emphasis added). But notably absent from this case like Runyan: a laptop or smartphone.

Two years after Rann, the Supreme Court decided Riley v. California—a landmark case where the Court unanimously held that the warrantless search of a cellphone during an arrest was unconstitutional. Specific reasoning from the Riley Court is noteworthy insofar as assessing the Fourth Amendment’s (and, in turn, the private search doctrine’s) application to smartphones and laptops. The Court stated:

[W]e generally determine whether to exempt a given type of search from the warrant requirement by assessing, on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests. . . . [Smartphones] are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers. One of the most notable distinguishing features of [smartphones] is their immense storage capacity.

573 U.S. 373, 385, 393 (2014). Riley makes crystal clear that when the property at issue is a laptop or smartphone, the balance between a person’s privacy interests and the governmental interests tips heavily in favor of the individual’s privacy interests. In simpler terms, law enforcement needs a warrant to search a laptop or smartphone unless it has an extremely compelling reason for failing to comply with the Fourth Amendment’s warrant requirement.

 

One year after Riley, the Sixth and Eleventh Circuits—armed with Riley’s insights regarding modern electronic devices—decided Lichtenberger and United States v. Sparks, respectively. The two Circuits held that in both cases the police, in conducting their after-occurring warrantless searches of a laptop (Lichtenberger) and a smartphone (Sparks), exceeded the scope of the initial private searches, reaching these conclusions in large part due to Riley. In Lichtenberger, the police exceeded the scope of the initial private search when, without a warrant, they looked at photographs on the laptop that the private searcher had not looked at, despite the private searcher’s initial viewing of other photographs on the laptop. 786 F.3d 478 (6th Cir. 2015). In Sparks, the police exceeded the scope of the initial private search when, without a warrant, they viewed a video within the same album on the smartphone that the private searcher had scrolled through but which the private searcher did not actually view. 806 F.3d 1323 (11th Cir. 2015), overruled on other grounds by United States v. Ross, 963 F.3d 1056 (11th Cir. 2020) (overruling Sparks “to the extent that [Sparks] holds that [property] abandonment implicates Article III standing”).

 

At first glance, Lichtenberger and Sparks seem irreconcilable with Runyan and Rann, leading many commentators to conclude there is a circuit split regarding the private search doctrine: the “container” approach versus the “file”/“narrow” approach. But I disagree. And there is a rather simple explanation for reaching this conclusion—Riley merely heightened Jacobsen’s “virtual certainty” requirement in determining whether law enforcement exceed the scope of initial private searches of laptops and smartphones. In other words, “virtual certainty” is significantly elevated in the context of smartphones and laptops because of the heightened privacy interests at stake stemming from their immense storage capacities and unique qualities—i.e., they contain information and data about all aspects of our lives to a much greater extent than floppy disks, CDs, zip drives, and camera memory cards. Thus, the only apparent sure way for law enforcement to satisfy the private search doctrine’s “virtual certainty” requirement when a laptop or smartphone is involved (and thereby avoid inviting defendants to invoke the exclusionary rule) is to view exactly what the private searcher viewed.

In contrast, the “virtual certainty” requirement in the context of old school floppy disks, CDs, zip drives, and memory cards is quite simply a lower standard of certainty because the balance between privacy interests and legitimate governmental interests is not tipped heavily in favor of privacy interests.

While floppy disks, CDs, and zip drives somewhat resemble “containers,” such as the package in Jacobsen, smartphones and laptops are entirely different Fourth Amendment beasts. Accordingly, the four cases should all be analyzed through the lens that the particular electronic device at issue in each case is most significant because it guides the determination of whether the after-occurring search fell within the scope of the initial private search. Looking at the case law this way makes it so that it is not the container approach versus the file approach. Rather, it is (justifiably) the container approach for certain older electronic storage devices and the file approach for modern electronic devices that implicate weightier privacy concerns.


Hailstorms in Baltimore: The Fourth Circuit’s Opportunity to Create Oversight and Accountability for a Secretive Police Technology

Jordan Hughes, MJLST Staffer

The past several months have once again shone a spotlight on the difficulty of holding police and law enforcement accountable for their actions. The American public has become more aware than ever of the unions and structures in place to shield officers from liability. Despite years of DOJ investigations and investigative reporting into the procedures of departments around the country, many regular police practices remain hidden from the public eye. Including the use of secretive new technologies that allow for unprecedented levels of discretion—and unprecedented potentials for abuse.

The Hailstorm is one such dragnet-style electronic capturing device that over 85 federal and state enforcement agencies have used largely in secret for more than two decades. This past spring, the 4th Circuit joined the fledgling ranks of federal courts asked to grapple with constitutional questions raised by the elusive technology. Baltimore police used a Hailstorm in 2014 to locate Kerron Andrews, who had an outstanding arrest warrant. Andrews v. Balt. City Police Dep’t, No. CCB-16-2010, 2018 U.S. Dist. LEXIS 129523, at *4 (D. Md. Aug. 1, 2018). The device enabled Baltimore police to pinpoint the apartment building where Andrews was sitting, despite having been unable to find him using standard location information released to them by his phone carrier. The police never disclosed the device during their surveillance, citing instead a “pen register order” as authorization for its use. A Maryland state court held that the government violated Andrews’ Fourth Amendment rights through use of the Hailstorm, and a state appellate court upheld that decision. Andrews then sued the police department in a federal district court, but the federal court considered the search constitutional and granted summary judgment against him. Andrews appealed.

The 4th Circuit, in Andrews v. Balt. City Police Dep’t, No. 18-1953, 2020 U.S. App. LEXIS 9641 (4th Cir. Mar. 27, 2020), both acknowledged the serious constitutional questions at stake and declined to make a ruling on them due to a lack of information. The district court was directed on remand to make findings concerning the Baltimore Police Department’s practice regarding Hailstorm technology, as well as the extent of constitutional intrusions involved in the search. Whatever the outcome, the 4th Circuit is likely to hear this case again. When it finally does, the court will have to decide how to apply the Fourth Amendment to a technology that may be fully incompatible with the freedom from broad and general searches that it typically guarantees.

What is a Hailstorm?

The “Hailstorm” is a model of “cell site simulator” technology sold by Harris Corporation. Other commonly used Harris models include the “StingRay,” “TriggerFish,” and “KingFish.” Generically, these devices are known as international mobile subscriber identity (“IMSI”) catchers.

IMSI catchers essentially mimic a wireless carrier’s base station, causing cell phones to communicate their unique identifiers and location data to the device even when they’re not in use. They function as a dragnet, capturing the unique numerical identifiers of all wireless devices within a particular area. The technology provides both identification and location data for devices. It is precise enough for law enforcement to narrow a device’s location to six feet, and to identify the exact unit a device is in from outside a large apartment complex. IMSI catchers are also capable of capturing the contents of communications, although there has not been a disclosed instance yet of law enforcement using an IMSI catcher in this fashion. IMSI catchers are small, and can easily be handheld or mounted on vehicles or drones.

What is the concern?

The Hailstorm raises a number of concerns under the Fourth Amendment—the constitutional provision meant to protect Americans from unreasonable searches and seizures. The ACLU, in a 2014 guide for defense attorneys, outlined the major Fourth Amendment questions that arise with the use of any IMSI catcher. These include:

  1. Level of scrutiny: IMSI catchers are almost certainly intrusive enough to violate both reasonable expectations of privacy and property interests, thus giving rise to Fourth Amendment scrutiny. When used in connection with a residence, the devices provide critical details about the inside of the property that constitutes a search under any framework. While the Supreme Court has held that there is no reasonable expectation of privacy on outgoing phone numbers voluntarily sent to a third party, that analysis likely cannot extend to data that gets redirected and captured by a Hailstorm without the phone-owner’s knowledge or consent.
  2. General search: There is an argument that any search conducted by an IMSI catcher constitutes a general search, and thus should be categorically barred by the Fourth Amendment. An IMSI catcher indiscriminately gathers all signaling information from a captured phone, seemingly incompatible with a constitutional requirement that surveillance minimize the collection of information unsupported by probable cause. Further, the dragnet functionality conducts this information grab on all devices in a vicinity, including innocent third parties whom the government lacks probable cause to search.
  3. Inaccurate warrants: When law enforcement does apply for a warrant to use an IMSI catcher, those warrants are very likely inaccurate. Warrant applications, driven by federal policies of non-disclosure, typically either (a) omit the fact that the government intends to use an IMSI catcher, (b) mislead the court by saying the government intends to use less intrusive devices (like a pen register) instead, or (c) fail to provide any information on what the technology is and how it operates. In either scenario, the warrant is predicated on a material omission that deprives a court of its constitutional obligation to balance government interests against intrusions into private rights.
  4. Invalid warrants: If a warrant accurately states law enforcement’s intended use of an IMSI catcher, it may be facially invalid due to the necessarily general nature of the search. The entire purpose of the warrant requirement is to require law enforcement to state with particularity the area to be searched and the persons or things to be seized. It remains an open question whether warrant particularity requirements can ever be compatible with intrusive dragnet surveillance technologies.

A separate and perhaps more troubling concern is the extreme lengths, only recently uncovered, that the government has gone to in order to keep this technology a secret. The federal government uses extensive non-disclosure agreements to prevent federal, state, and even local law enforcement from disclosing any details on the capabilities and usage of IMSI catchers. There have been a couple instances where judges demanded police to disclose possible use of an IMSI catcher at trial. Prosecutors in these instances have voluntarily dropped the evidence, offered plea bargains without jail time, or voluntarily dismissed the case altogether rather than disclose the device’s usage. Law enforcement agents have also demonstrated a willingness to offer alternative explanations for evidence obtained by an IMSI catcher. In one case where the FBI used a StingRay, for example, a discovered email from a special agent read: “we need to develop independent probable cause for the search warrant . . . FBI does not want to disclose the [redacted] (understandably so).”

IMSI catchers in the courts so far

The first reported decision dealing with an IMSI catcher was in 1995. In re United States, 885 F. Supp. 197 (C.D. Cal. 1995). The court, which had difficulty applying current law to the new surveillance technology, demanded that law enforcement develop stronger safeguards before permitting its use. Since 1995, nation-wide police practices of avoiding disclosure of the devices has largely shielded them from the view of courts. More recent orders from even the most tech-savvy magistrate judges suggest that judicial officers across the country still have little exposure to or understanding of IMSI technology. The lack of exposure and understanding is critical to continuing the law enforcement practice of applying for approval to use a “pen register” device.

Among the courts that have been faced with the question of IMSI catcher use, several—including the 7th Circuit in 2016—have declined to answer questions concerning the devices’ constitutionality. United States v. Patrick, 842 F.3d 540 (7th Cir. 2016). In his dissent, Chief Judge Wood described the avoidance strategies of law enforcement as “bad faith” that could justify suppression, and closed by writing that “it is time for the Sting[R]ay to come out of the shadows, so that it can be subject to the same kind of scrutiny as other mechanisms.”

The 7th Circuit ultimately did revisit the question of Sting[R]ays in Sanchez-Jara in 2018. United States v. Sanchez-Jara, 889 F.3d 418 (7th Cir. 2018). That court rejected the “general search” argument and upheld a warrant that referred generally to “electronic investigative techniques” without specifying the use of IMSI catcher technology. The other federal circuits have yet to reach a decision on the issue.

Andrews v. Balt. City Police Dep’t will almost certainly appear before the 4th Circuit again. While the question in that case deals with whether a pen register application can cover use of a Hailstorm device, deeper questions surrounding the constitutionality of a Hailstorm search underlie every aspect of the litigation. The court will be faced with a police department that has a history of abusing discretion, and that has shielded the courts from its use of IMSI catchers for years, in a moment of increased public scrutiny of police practices and procedures. The 4th Circuit thus has a unique opportunity to create a level of increased accountability for law enforcement, and to change the trajectory of police surveillance strategies for years to come.


Access Denied: Fifth Amendment Invoked to Prevent Law Enforcement From Accessing Phone

Hunter Moss, MJLST Staffer 

Mobile phones are an inescapable part of modern life. Research shows that 95% of Americans carry some sort of cell phone, while 77% own smartphones. These devices contain all sorts of personal information, including: call logs, emails, pictures, text messages, and access to social networks. It is unsurprising that the rise of mobile phone use has coincided with an increased interest from law enforcement. Gaining access to a phone could provide a monumental breakthrough in a criminal investigation.

Just as law enforcement is eager to rummage through a suspect’s phone, many individuals hope to keep personal data secret from prying eyes. Smartphone developers use a process called encryption to ensure their consumers’ data is kept private. In short, encryption is a process of encoding data and making it inaccessible without an encryption key. Manufacturers have come under increasing pressure to release encryption keys to law enforcement conducting criminal investigations. Most notable was the confrontation between the F.B.I. and Apple in the wake of the San Bernardino shooting. A magistrate judge ordered Apply to decrypt the shooter’s phone. The tech giant refused, stating that granting the government such a power would undermine the security, and the privacy, of all cellphone users.

The legal theory of a right to privacy has served as the foundation of defenses against government requests for cellphone data. These defenses have been couched in the Fourth Amendment, which is the Constitutional protection guaranteeing security against unreasonable searches. In a ruling that will have profound implications for the future of law enforcement, the Fourth Amendment protection was first extended to mobile phone data when the Supreme Court decided Carpenter v. United States in early 2018. The holding in Carpenter necessitates that warrants are granted during any government investigation seeking to obtain mobile phone records from service providers.

A case from Florida was the most recent iteration of a novel legal theory to shield smartphone users from government encroachment. While the Carpenter decision relied on the Fourth Amendment’s right to privacy, last week’s ruling by the Florida Court of Appeals invokes the Fifth Amendment to bar law enforcement agents from compelling suspects to enter their passcodes and unlocking their phones. This evolution of the Fifth Amendment was grounds for the court to quash a juvenile court’s order for the defendant to reveal his password, which would relinquish the privacy of his phone.

The Fifth Amendment is the constitutional protection from self-incrimination. A suspect in a criminal case cannot be compelled to communicate inculpatory evidence. Because a phone’s passcode is something that we, as the owners, “know,” being forced to divulge the information would be akin to being forced to testify against oneself. While mobile phone users might feel relieved that the development of Fifth Amendment is expanding privacy protections, smartphone owners shouldn’t be too quick to celebrate. While the Fifth Amendment might protect what you “know,” it does not protect what you “are.” Several courts have recognized that the police may unlock a phone using a suspect’s fingerprint or facial recognition software. Given that fingerprinting and mug shots are already routine procedures during an arrest, courts have been reluctant to view unlocking a phone in either manner as an additional burden on suspects.

Technology has seen some incredible advancements over the last few years, particularly in the field of mobile devices. Some have even theorized that our phones are becoming extensions of our minds. The legal framework providing constitutional protections supporting the right to privacy and the right against self-incrimination have trailed the pace of these developments. The new string of cases extending the Fifth Amendment to cellphone searches is an important step in the right direction. As phones have become a ubiquitous part of modern life, containing many of our most private and intimate information, it is clear that the law must continue to evolve to ensure that they are safeguarded from unwanted and unlimited government intrusion.


Carpenter Might Unite a Divided Court

Ellen Levis, MJLST Staffer

 

In late 2010, there was a robbery at a Radio Shack in Detroit. A few days later: a stick up at a T-Mobile store. A few more months, a few more robberies – until law enforcement noticed a pattern and eventually, in April 2011, the FBI arrested four men under suspicion of violating the Hobbs Act (that is, committing robberies that affect interstate commerce.)

One of the men confessed to the crimes and gave the FBI his cell phone number and the numbers of the other participants. The FBI used this information to obtain “transactional records” for each of the phone numbers, which magistrate judges granted under the Stored Communications Act. Based on this “cell-site evidence,” the government charged Timothy Carpenter with a slew of offenses. At trial, Carpenter moved to suppress the government’s cell-site evidence, which included 127 days of GPS tracking and placed his phone at 12,898 locations. The district court denied the motion to suppress; Carpenter was convicted and sentenced to 116 years in prison. The Sixth Circuit affirmed the district court’s decision when Carpenter appealed.

In November 2017, the Supreme Court heard what might be the most important privacy case of this generation. Carpenter v. United States asks the Supreme Court to consider whether the government, without a warrant, can track a person’s movement via geo-locational data beamed out by cell phone.   

Whatever they ultimately decide, the Justices seemed to present a uniquely united front in their questioning at oral arguments, with both Sonia Sotomayor and Neil Gorsuch hinting that warrantless cell-site evidence searches are incompatible with the protections promised by the Fourth Amendment.  

In United States v Jones, 132 S.Ct. 945 (2012), Sotomayor wrote a prescient concurring analysis of the challenge facing the Court as it attempts to translate the Fourth Amendment into the digital age. Sotomayor expressed doubt that “people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.” And further, she “would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.”

In the Carpenter oral argument, Sotomayor elaborated on the claims she made in United States v Jones 132 S.Ct. 945 (2012). Similarly, throughout the Carpenter argument, Sotomayor gave concrete examples of how extensively Americans use their cellphones and how invasive cell phone tracking could become. “I know that most young people have the phones in the bed with them. . . I know people who take phones into public restrooms. They take them with them everywhere. It’s an appendage now for some people . . .Why is it okay to use the signals that phone is using from that person’s bedroom, made accessible to law enforcement without probable cause?”

Gorsuch, on the other hand, drilled down on a property-rights theory of the Fourth Amendment, questioning whether a person had a property interest in the data they created. He stated,  “it seems like [the] whole argument boils down to — if we get it from a third party we’re okay, regardless of property interest, regardless of anything else.” And he continued, “John Adams said one of the reasons for the war was the use by the government of third parties to obtain information forced them to help as their snitches and snoops. Why isn’t this argument exactly what the framers were concerned about?”


University of Minnesota Partners With Michigan State University to Launch SCOTUS Notes

Brandy Hough, MJLST Staffer

 

If you thought your elementary school’s grueling cursive curriculum was all for naught, you’re sadly mistaken. The University of Minnesota, in partnership with Michigan State University, launched a crowdsourcing project this month to transcribe Supreme Court justices’ handwritten conference notes. The project, dubbed SCOTUS Notes, engages “citizen archivists” to decipher and transcribe the justices’ notes, with the goal of making them broadly accessible in an electronic and legible format. If you can spot a cursive Z from a mile away, you might just help transcribe history.

 

Researchers at the two universities received a three-year federal grant from the National Science Foundation to fund the project, which is hosted on Zooniverse, a large-scale platform for “people-powered research.” The researchers hope that crowdsourcing the work will lead to more efficient and accurate results than could be achieved by staff researchers alone. Project co-director Tim Johnson explains that ten people independently transcribe each page, which allows researchers “to obtain high level agreement scores for every word transcribed—even when the words are really difficult to determine.” At the time of writing, 876 volunteers have registered since the project’s February 13 launch date. You can monitor the project’s progress in real time on the SCOTUS Notes Zooniverse page.

 

In its current phase, SCOTUS Notes aims to harness its volunteer power to transcribe 12,600 pages of conference notes taken by Justices Harry A. Blackmun and William J. Brennan related to cases decided between 1959 and 1994. These notes provide valuable insights into judicial decision-making at our nation’s highest level. As explained on the SCOTUS Notes blog:

 

“U.S. Supreme Court justices cast votes in complete secrecy during weekly meetings, which only justices are allowed to attend. During these meetings, the justices discuss, deliberate, and make initial decisions on cases they have heard–many of which address the most important legal and policy issues in the U.S.. The written notes the justices themselves take during these meetings provide the only record of what was said and by whom.”

 

Project co-director Tim Johnson adds “I think law students will find that ‘understanding how the sausage is made’ is integral to understanding how and why SCOTUS makes the decisions it does. Without knowing what happens behind the scenes it is hard to really hard to have a fully accurate picture.”

 

In the future, the researchers plan to engage volunteers to transcribe notes of Justices Powell, Douglas, Marshall, Rehnquist and Warren. Upon completion of the project, scotusnotes.org will provide public access to images of the original pages as well as the transcriptions. 

 

For more information or to get involved with the project, visit the SCOTUS Notes page at https://www.zooniverse.org/projects/zooniverse/scotus-notes-behind-the-scenes-at-supreme-court-conference.


United States v. Microsoft Corp.: A Chance for SCOTUS to Address the Scope of the Stored Communications Act

Maya Digre, MJLST Staffer

 

On October 16th, 2017 the United States Supreme Court granted the Federal Government’s petition for certiorari in United States v. Microsoft Corp. The case is about a warrant issued to Microsoft that ordered it to seize and produce the contents of a customer’s e-mail account that the government believed was being used in furtherance of narcotics trafficking. Microsoft produced the non-content information that was stored in the U.S., but moved to quash the warrant with respect to the information that was stored abroad in Ireland. Microsoft claimed that the only way to access the information was through the Dublin data center, even though this data center could also be accessed by their database management program located at some of their U.S. locations.

 

The district court of New York determined that Microsoft was in civil contempt for not complying with the warrant. The 2nd Circuit reversed, stating that “Neither explicitly or implicitly does the statute envision the application of its warrant provision overseas” and “the application of the Act that the government proposes – interpreting ‘warrant’ to require a service provider to retrieve material from beyond the borders of the United States – would require us to disregard the presumption against extraterritoriality.” The court used traditional tools of statutory interpretation in the opinion including plain meaning, presumption against extraterritoriality, and legislative history.

 

The issue in the case, according to ScotusBlog is “whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.” Essentially, the dispute centers on the scope of the Stored Communications Act (“SCA”) with respect to information that is stored abroad. The larger issue is the tension between international privacy laws, and the absolute nature of warrants issued in the United States. According to the New York Times, “the case is part of a broader clash between the technology industry and the federal government in the digital age.”

 

I think that the broader issue is something that the Supreme Court should address. However, I am not certain that this is the best case for the court. The fact that Microsoft can access the information from data centers in the United States with their database management program seems to weaken their claim. The case may be stronger for companies who cannot access information that they store abroad from within the United States. Regardless of this weakness, the Supreme Court should rule in favor of the State to preserve the force of warrants of this nature. It was Microsoft’s choice to store the information abroad, and I don’t think the choices of companies should impede legitimate crime-fighting goals of the government. Additionally, if the Court ruled that the warrant does not reach information that is stored abroad, this may incentivize companies to keep their information out of the reach of a U.S. warrant by storing it abroad. This is not a favorable policy choice for the Supreme Court to make; the justices should rule in favor of the government.

 

Unfortunately, the Court will not get to make a ruling on this case after Microsoft decided to drop it following the DOJ’s agreement to change its policy.


Microsoft Triumphs in Fight to Notify Users of Government Data Requests

Brandy Hough, MJLST Staffer

 

This week, Microsoft announced it will drop its secrecy order lawsuit against the U.S. government after the Deputy U.S. Attorney General issued a binding policy limiting the use and term of protective orders issued pursuant to 18 U.S.C. §2705(b) of the Electronic Communications Privacy Act of 1986 (“ECPA”), also referred to as the Stored Communications Act (“SCA”).

 

The ECPA governs requests to obtain user records and information from electronic service providers. “Under the SCA, the government may compel the disclosure of . . . information via subpoena, a court order under 18 U.S.C. § 2703(d), or a search warrant.” Pursuant to 18 U.S.C. § 2705(b), a government entity may apply for an order preventing a provider from notifying its user of the existence of the warrant, subpoena, or court order. Such an order is to be granted only if “there is reason to believe” that such notification will result in (1) endangering an individual’s life or physical safety; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of witnesses; or (5) seriously jeopardizing an investigation or delaying a trial.

 

Microsoft’s April 2016 lawsuit stemmed from what it viewed as routine overuse of protective orders accompanying government requests for user data under the ECPA, often without fixed end dates. Microsoft alleged both First and Fourth Amendment violations, arguing that “its customers have a right to know when the government obtains a warrant to read their emails, and . . . Microsoft has a right to tell them.” Many technology leaders, including Apple, Amazon, and Twitter, signed amicus briefs in support of Microsoft’s efforts.

 

The Deputy Attorney General’s October 19th memo states that “[e]ach §2705(b) order should have an appropriate factual basis and each order should extend only as long as necessary to satisfy the government’s interest.” It further outlines steps that prosecutors applying for §2705(b) orders must follow, including one that states “[b]arring exceptional circumstances, prosecutors filing § 2705(b) applications may only seek to delay notice for one year or less.” The guidelines apply prospectively to applications seeking protective orders filed on or after November 18, 2017.

 

Microsoft isn’t sitting back to celebrate its success; instead, it is continuing its efforts outside the courtroom, pushing for Congress to amend the ECPA to address secrecy orders.

 

Had the case progressed without these changes, the court should have ruled in favor of Microsoft. Because the way § 2705(b) of the SCA was written, it allowed the government to exploit the “vague legal standards . . . to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand.”This behavior violated both the First Amendment – by restraining Microsoft’s speech based on “purely subjective criteria” rather than requiring the government to “establish that the continuing restraint on speech is narrowly tailored to promote a compelling interest”  – and the Fourth Amendment – by not allowing users to know if the government searches and seizes their cloud-based property, in contrast to the way Fourth Amendment rights  are afforded to information stored in a person’s home or business. The court therefore should have declared, as Microsoft urged, that § 2705(b) was “unconstitutional on its face.”

 


Sex Offenders on Social Media?!

Young Choo, MJLST Staffer

 

A sex offender’s access to social media is problematic nowadays on social media, especially considering the vast amount of dating apps you can use to meet other users. Crimes committed through the use of dating apps (such as Tinder and Grindr) include rape, child sex grooming and attempted murder. These statistics have increased seven-fold in just two years. Although sex offenders are required to register with the State, and individuals can get accesses to each state’s sex offender registry online, there are few laws and regulations designed to combat this specific situation in which minors or other young adults can become victims of sex crimes. A new dating app called “Gastby” was introduced to resolve this situation. When new users sign up for Gatsby, they’re put through a criminal background check, which includes sex offender registries.

Should sex-offenders even be allowed to get access to the social media? Recent Supreme Court case, Packingham v. North Carolina, decided that a North Carolina law preventing sex offenders getting access to a commercial social networking web site is unconstitutional due to the First Amendment’s Free Speech Clause. The Court emphasized the fact that accessing to the social media is vital for citizens in the exercise of First Amendment rights. The North Carolina law was struck down mainly because it wasn’t “narrowly tailored to serve a significant governmental interest,” but the Court noted that this decision does not prevent a State from enacting more specific laws to address and ban certain activity of sex offender on social media.

The new online dating app, Gatsby, cannot be the only solution to the current situation. There are already an estimated 50 million people using Tinder in the world and the users do not have a method of determining whether their matches may be sex offenders. New laws narrowly-tailored to address the situation, perhaps requiring dating apps to do background checks on users or an alternative method to prevent sex offenders from utilizing the dating app, might be necessary to reduce the increasing number of crimes through the dating apps.