Online overreach

In an increasingly digitised world where data is as valuable as it is prolific, balancing the rights of the individual with corporate interests is a nebulous task for businesses of all sizes. But what about when the entity seeking that data is the government?

‘If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place,’ – Eric Schmidt, CEO, Alphabet Inc.

The issue of data privacy has been an increasingly prevalent one for corporates and, subsequently, their general counsel in recent years. When the European Union’s General Data Protection Regulation entered into force in 2016 ahead of its 2018 implementation, businesses the world around were put on notice: the rights of the individual with respect to personal data – its collection, storage and use – were now subject to stringent protections designed to safeguard the end user against corporate interests.

But while the boundaries between business prerogatives and the right to privacy have grown increasingly clear, how companies – particularly those working in tech – handle requests for data from the government and law enforcement remains opaque, particularly with new – or, legally speaking, untested technology.

‘Uncertainty with technology is a real problem for civil liberties, because oftentimes what you’ll see is law enforcement trying to engage in a novel kind of search – or novel kind of information request – that’s never been done before,’ explains Esha Bhandari, staff attorney with American Civil Liberties Union’s (ACLU) Speech, Privacy, and Technology Project.

‘The lack of precedent apparent can be used to their advantage – almost an ask first and then see whether or not a court, or the subject of the request, pushes back. That creates a problem when you have the government or law enforcement pushing to try out new types of technology or search requests. The ambiguity in the law is used to their advantage because that particular fact pattern hasn’t explicitly arisen before.’

In such cases, the prerogative for protection of users often falls on the company faced with the request. In the first instance, advising on a matter like this will typically fall on the shoulders of the general counsel, who will be tasked with balancing the rights of the individual with those of the public at large – represented by those tasked with governing the general populous – as well as that of the business itself.

But in a world in which data and the broad-based learnings that can be derived from it become progressively more sophisticated and prominent, determining what constitutes the public’s best interest – particularly in the face of a distinct lack of judicial guidance – has become nebulous at best. When that decision falls on corporate institutions instead of an independent judiciary, weighing the costs of doing the right thing against corporate imperatives like shareholder primacy becomes even more difficult.

‘The warrant was overbroad and turning over that information was a ridiculous request.’

This very issue came to the fore in the wake of the election of President Donald Trump, when law enforcement served subpoenas on a deluge of digital companies in an effort to obtain information which could lead to the identification and arrest of those involved with protesting and causing unrest in the run up to his inauguration.

‘It really harkens back to the question of, “Are we really living in a place where America’s own government is going to be spying on political dissidents?”,’ posits Stephanie Lacambra, criminal defence staff attorney at the Electronic Frontier Foundation (EFF).

‘It shouldn’t really come as a surprise given the practice of spying on dissidents goes back through many decades, from the civil rights movement to the Black Panthers. But what’s different now is that these requests are using technology to achieve their goals. In the information age, spying takes a different colour.’

DISRUPTJ20

In 2016, following the election of Donald Trump, a group called DisruptJ20 began posting online to organise protests to disrupt his 20 January inauguration the following year – relatively mundane stuff in the murky and anonymous online world. But when the US Department of Justice demanded access to all of the information held on the group by their webhost, DreamHost, it became a point of moral principle for the Los Angeles-based company and its general counsel, Chris Ghazarian.

‘Originally, we received a subpoena from the DOJ in January demanding information about the owner of the DisruptJ20 website. We reviewed the subpoena and everything seemed normal, so we produced the information,’ explains Ghazarian.

‘Fast-forward to July and this time we’ve been served with a search warrant, again, the target being DisruptJ20. The warrant we were served with wanted all of the information that we had about the website, not just subscriber information, email address or email content, they wanted our entire database of what we held on DisruptJ20.

‘That amount of information would be huge – we have our own logs that we keep internally for our systems, which include things like HTTP logs and the IP addresses of our visitors. Those IP addresses were the central issue of our case.’

While DreamHost regularly receives orders for information from law enforcement, the scope and depth of the request was unusual – prompting a deeper look from Ghazarian and his team.

‘The first thing we did when we received the warrant was to look over it with our compliance analyst, who told me about the scope. We went over it together and agreed that it was a very overbroad warrant, which was seeking a tonne of data,’ he says.

‘We reached out to the US attorneys that were working the case to have a conversation, because the warrant was overbroad and turning over that amount of information was a ridiculous request. We do this often when we take in court orders or government requests: we spend a lot of time on them and that usually involves reaching out to the appropriate agency or firm or whoever it is if we feel that it’s overly broad. But in this case, when we reached out, they were silent.’

What followed a week later was a motion to compel from the superior court in Washington DC, a common tactic used in discovery proceedings to force a non-complying party to turn over the requested information when they have either refused or the response received is deemed insufficient.

‘That didn’t sit well with us because, historically, we’ve been staunch supporters of privacy. We’ve always taken a strong stance against overly broad requests or similar issues when they arise with law enforcement,’ says Ghazarian.

‘We’ve maintained a strong relationship with all of our law enforcement agencies in the US. We’ve had agents back and forth all the time, we talk to them frequently. Never before had we had an issue like this, where we’re facing a motion to compel and the other side isn’t willing to play ball. So we took a step back, looked at the case up and down and realised we had something very interesting on our hands.’

OVERSIGHT OR OVERREACH?

With an unusual case afoot and significant privacy issues in play, DreamHost prepared to take the unusual strategy of starting a blog to alert the public just what was going on – a move Ghazarian says he was comfortable with after confirming that there was no gag order associated with the warrant.

‘What was particularly unique about this case was that we were dealing with so many people who had innocently visited the website and were going to have their information turned over to the government,’ Ghazarian explains.

‘The government claims that they don’t do anything with the information they don’t use – essentially that any information they didn’t need to look at would be deleted. But in reality, everything is digital, so you can never truly confirm whether something’s been deleted or not. You couldn’t do that with paper in the past, and in the digital age it’s so much harder. When you’re sending a file over the internet, there’s no way you can be absolutely sure that something hasn’t been copied or screenshotted. There’s no real audit trail.’

‘If we were to turn over this information, we would basically be handing over the browsing habits and identities of tens of thousands of people. We had 1.3 million IP addresses associated with DisruptJ20 over the course of the time span in the warrant. But the individual logs tell you a lot more than just that: the amount of time you spend reading each page, the photos you looked at or other links you clicked on originating from that page – everything is recorded. So you’re handing over an entire logbook to the government and that’s disturbing. Very disturbing.’

Of particular concern with the warrant was the content of the site and its underlying purpose – to organise peaceful political protest – which brought to the fore First and Fourth Amendment issues and concerns about whether the request was constitutional.

‘Freedom of speech and freedom of association were really implicated by the breadth of the request that was made,’ says Bhandari.

‘The warrant was specifically requesting information about people who had visited a website discussing organising a protest that was oppositional to the administration. What happens to our rights for freedom of expression, freedom of speech and freedom of association when all of our communications can potentially be seen, stored and analysed by the government? ’

‘Freedom of association was one of the issues we really honed in on and the fact that this can potentially be a very interesting issue if the government is taking action that can suppress that freedom,’ adds Ghazarian.

‘Freedom of association was one of the things we really honed in on.’

‘If you found out that your browsing habits are turned over to the government because you visited a political website, then the next time you want to read about politics or visit a political website, you’re probably going to think twice about whether or not you want to click on it – particularly if you know that there’s a blacklist of all of your information going straight to government from a webhost or ISP (internet service provider).’

DREAMHOST v DOJ

Because of the seriousness of the issues raised in the warrant, as well as DreamHost’s commitment to protecting the privacy of its users, the decision was made to challenge the order in court. Ghazarian retained a Washington DC-licensed external counsel and together, they began putting together DreamHost’s defence.

‘We filed our first argument late on a Friday night. I can remember working until after midnight, drafting the argument, books open all over my office, whiteboards littered with nodes and sites – it was a real throwback, like going back to law school,’ says Ghazarian.

‘Then, after the weekend, we posted our first blog post live on Monday. It was a very short blog which explained the request that we had received and what we were doing to fight against it. I went to bed that night and had no idea what was about to hit me on Tuesday morning.’

After the blog went live on Monday, the media went into overdrive – with Ghazarian tasked with fronting up and representing DreamHost – truly thrusting the issue and case into the public consciousness.

‘I’d never had anything like this happen during my career. I was in shock. I passed the bar in 2015, had barely been practising for two years and then suddenly I’m being asked to get ready to appear live on television to be interviewed by Anderson Cooper on CNN! Nothing can prepare you for that,’ says Ghazarian.

‘That was the day that everything really went public. It was crazy, but putting our case in the public eye – despite the pressure that came along with it all – the amount of support we received showed that we were doing the right thing. We had no intention of making this a front-page story, we just wanted to show what was happening behind the scenes and the type of things we do for every single one of our customers and ever subpoena or request that we receive.’

CALIFORNIA TAKES THE LEAD

California has been a leader, both in the US and globally, when it comes to enacting protections for digital consumers. The California Electronic Communications Privacy Act (CalECPA) invokes protections that require law enforcement to obtain a warrant in order to access a person’s private information – whether that be emails, text messages, location information or other personal data held digitally.

The upshot of this legislation was that law enforcement can no longer approach a company directly for data – it now has to be approved judicially. The Act makes specific reference to Fourth Amendment protections, while prescribing conditions for data access – including time, targets and type of information sought, as well as how data falling outside the scope of the warrant should be treated. In addition, the Act requires law enforcement agencies to notify the targets of the warrants that their data has been searched, as well as notifying the California Department of Justice about the search, which must be made public.

But while the CalECPA was hailed as a landmark development for data privacy and consumer protections when it was passed in 2015 – where, incidentally, it was co-sponsored by the Electronic Frontier Foundation (EFF) – Stephanie Lacambra, criminal defence staff attorney at EFF, says issues persist judicially.

‘In California, we’re fortunate enough to have a statewide law that requires specific articulation of particularity with regards to search warrants. But, even now, we’re fighting fights here in California, where it’s on the books, about exactly what is required for a warrant to meet the statutory requirements prescribed by the law,’ says Lacambra.

‘Still we’re seeing cases where the warrant doesn’t meet the requirements set out by statute that require suppression. We still have the courts saying that it’s at their discretion to decide whether suppression is appropriate and, as a result, we’re litigating a number of cases right now.’

One of the most prominent cases taken up by the EFF is against San Bernardino County Sheriff’s Department, which has refused to release the records as required by CalECPA. The case in question seeks to obtain the records to ascertain whether CalECPA is working effectively and law enforcement is complying.

‘At present, we’re trying to encourage the legislature at both the state and federal level to better articulate for the courts what the requirements ought to be, because there’s still a lot left at the discretion of the courts,’ says Lacambra.

‘In California, the courts can still find that a warrant doesn’t necessarily require everything set out in the Act, which then requires us to go and fight that in the appellate courts, to get the courts to tell law enforcement that there’s been a violation. The problem at the moment is that without further guidance, courts are still rubber stamping some very broad warrants.’

While Lacambra says that the California legislation has gone a long way to ‘try and rein in government overreach in this area’, more broadly she says that more has to be done to bring these issues to the fore and ensure that those involved become better informed.

‘In my view, it’s about educating the public, educating the judiciary, educating the practitioners that are litigating these issues, and educating the legislators to understand the technology and the issues that surround it,’ she says.

‘If they’re unfamiliar with the technology, how it works and just how invasive certain technologies like cell site simulators [the technology in question in the San Bernardino County Sheriff case] can be, they can’t appreciate the full implications of what’s being authorised.’

To this end, the EFF, a non-profit, offers their services – both to counsel and the judiciary alike – in order to help both make informed decisions about how data, technology and the law intersect, as well as to protect the rights of the individual in the digital space.

Explains Lacambra: ‘Our advice to GCs who find themselves in a similar situation to DreamHost, or for any situation where data and privacy is at stake, is to contact us early and often.’

The likes of the ACLU and EFF were quick to offer their support, with more than 100 organisations signing on to a joint public letter to then attorney general Jeff Sessions expressing concern over what they saw as an infringement on American values.

‘When we were involved in the case, we had a number of companies, senators and congressmen who were all lobbying for us directly to Jeff Sessions,’ says Ghazarian.

‘We also had a number of major tech companies publicly come out to back our decision to fight this order. We received a ridiculous amount of support, offers of donations, connections. I was getting calls left and right from so many people in politics and I’d hear the name and be like “Oh my god, I’ve heard this guy on the news so many times”, or you’d Google their names and find out a senator from some far-flung state would be offering their assistance.’

The outpouring of support and assistance, both publicly and behind closed doors, in addition to the wall-to-wall media coverage ignited significant public debate – mounting pressure on the DOJ to justify the legality of its actions specific to this case, as well as its overarching operating procedures. Facing a public relations nightmare and the prospect of a very public, potentially uphill battle in the courts, the DOJ retreated.

‘Two days before the hearing, there was breaking news on TV that the DOJ had pulled back their request for the information from DreamHost in terms of the IP addresses, and reissued their warrant with different language,’ says Ghazarian.

‘That was literally the biggest issue we were fighting for – the IP addresses. So now we’re in a position where the DOJ is publicly doubling back. They issued a public statement, with a corresponding filing, saying that they were never interested in finding out IP addresses or browsing habits of users and they would gladly not pursue those things.’

‘What was particularly interesting about that was that we had evidence on the record of us reaching out to them to explain the extent of their request, specifically the IP address issue – yet they claimed that they had no idea this information would be included. So, in our follow up filing, we pointed out that they knew this, included emails and other evidence to back that up. But the bottom line was, at this point, that was a huge win for us.’

IN YOUR DEFENCE

While pulling back the request for the IP addresses was indeed a significant win for DreamHost, at the time, they still remained involved in an active dispute with the DOJ over the remaining information requested in the warrant.

‘We filed a further response to the DOJ, alerting them to the fact that even though they had retracted the request for IP addresses, there were still a lot of other issues that needed to be talked about,’ says Ghazarian.

‘Our hearing was pushed back by two days at the request of the DOJ, so I flew out to Washington DC for our rescheduled hearing and our day in court. What first stood out – it was surreal really – was the sheer amount of press in attendance. Half of the room was dedicated just to the media and it was at capacity.’

Ruling on the case, Chief Judge Robert Morin of the Superior Court of Washington DC ruled that the DOJ’s request was a valid one and enforced its motion to compel – with some major changes and safeguards to limit the exposure of sensitive and private user information. Delivering his final order, Chief Judge Morin wrote:

‘Because of the potential breadth of the government’s review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the court has previously stated, while the government has the right to execute its warrant, it does not have the right to rummage through the information contained on DreamHost’s website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities. Accordingly, the court deems it appropriate to incorporate procedural safeguards to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons to the website DisruptJ20.’

‘We were fine with this result – to be fair, most reasonable people understand that we weren’t fighting this warrant in order to prohibit the government from obtaining information from DreamHost. At the end of the day, this was a government-issued warrant and they wanted information regarding the case pending against the protestors. We deal with hundreds of these a year, but there’s a proper way to go about these requests,’ Ghazarian explains.

‘Our issue was that the DOJ was casting an ultra-wide net, and would have obtained a tonne of data that violated internet users’ privacy.We knew at the end of the day we would have to turn over some information – we didn’t want to play hardball with that aspect. We just wanted to cut down the legal request to what we thought was reasonable – not overbroad or overreaching.’

What was interesting about the ruling though, something which surprised Ghazarian, was that the final order to turn over information and how that would be carried out was to be negotiated between DreamHost and the DOJ. Rather than having to hand over the information there and then, the negotiation process went on over the following three months, with DreamHost and the DOJ both submitting a proposed order, after which the judge made a final ruling.

‘When that ruling came in, it was one of the happiest days of my legal career. I remember sitting there, going through the order line by line. We had requested a number of protective measures because of the sensitivity of the information requested,’ says Ghazarian.

‘For most of our arguments and requests, the judge had agreed. Anything that was private information – names, addresses, phone numbers, emails – had to be redacted. So we handed over heavily redacted documents to the DOJ, who were then required to identify what information from that production they wanted to use, then identify the agents who were working on the case and with the information, then appeal to the court and justify to the judge why they needed any of the information they were requesting. Then finally, if they wanted any of the information to be unredacted, they needed to show probable cause for it.’

PROTECTING THE FUTURE

The publicity that surrounded the case brought attention to the issues inherent with the DreamHost case, and the underlying constitutional considerations will likely have the most lasting impact. While the courts’ decision to restrict the ability of both the government and law enforcement to access private user data goes some way in terms of establishing judicial guidance moving forward, whether that will stand up to further checks and tests on the power of law enforcement with respect to data remains to be seen.

‘When that ruling came in, it was one of the happiest days of my legal career.’

‘In terms of future precedent and impacting future issues that come up under these categories, our case helps set a great foundation,’ says Ghazarian.

‘In fact, shortly after our case, Facebook had their own issues with the DOJ over DisruptJ20 and they used some of our arguments that we filed in court in their own case.’

While the likes of major companies like Facebook or historically strong advocates for privacy rights like DreamHost have both the will and resources to contest orders that are seen to overreach, clearly that isn’t the case for all companies.

‘It’s certainly important for companies to take on some of these issues and offer to fight these requests, but it does take companies having the wherewithal to recognise requests that are problematic, then having the resources and will to be able to challenge it. This also means that smaller companies will often not have the ability to fight back. So we live in an asymmetrical world where we don’t quite know everything that the government is doing with regards to requests for data, because it’s guaranteed that there are a number of these requests that never see the light of day, because the company didn’t have the ability to fight back,’ explains Bhandari.

‘If DreamHost had not stood up for its users the way that it did, then this issue quite literally would have gone under the radar. All of this subscriber information would have been turned over to the government and the timeliness with which users would be notified would have been left to the discretion of the courts. Had the government asked for a gag order to prevent DreamHost from notifying users that their data had been compromised and provided to law enforcement, then there’s a good chance that the users would never have even found out.’

That raises the question of whether a legislative response is required to enshrine rights to digital privacy and protection. While California (see boxout) has taken steps to make the process of accessing data more transparent – in particular eliminating any discretion for companies dealing with requests from law enforcement and putting the onus in the hands of the judiciary; codifying requirements and tests to justify access; and spelling out clear requirements for notifying individuals when their data has been accessed – it remains the clear exception. Other states have moved to provide updated protections in their own jurisdictions, but in the absence of an update to federal legislation, which remains outdated and stagnant, the rights of the individual when it comes to their data will continue to fall to the conscience of corporates.