Who Has Access to Your Data: House Select Committee Investigation Raises Privacy Concerns

September 14, 2021

By Jaime Rosenberg

The House Select Committee investigating the January 6th riot has asked 35 telecommunications and social media companies to preserve phone records and other information belonging to members of Congress, former President Donald Trump, and members of the Trump family, who were affiliated with the “Stop the Steal” rally. How can the Committee request this information and why is this important?

We are told constantly that if you are active on social media or even just have an iPhone, then you have no privacy, and the government can get everything. The question: is this true? The answer: privacy does not exist, and the government can get your information without you even knowing. This means your entire iCloud account where all of your messages and pictures are saved, and every Snapchat picture or Instagram message you have ever sent. For businesses, all of your Slack or Microsoft Teams messages could be seized. Now, how does this happen?

The Law

The Stored Communications Act, 18 U.S.C. § 2703 (Required disclosure of customer communications or records) allows the U.S. government to issue subpoenas, obtain search warrants, and use other legal processes to collect electronic data held by tech companies.  Prosecutors use grand jury subpoenas to obtain all sorts of information such as subscriber information for social media accounts, messages, and pictures. Unlike a search warrant, a grand jury subpoena does not require a court finding of probable cause. Instead, the standard for a prosecutor to issue a subpoena under the authority of a grand jury is any reasonable probability that the subpoena will produce information that is relevant to a matter under investigation. This is a very low standard.

Non-Disclosure Orders (NDOs)

Here’s the scariest part: the U.S. government can obtain your data from a tech company and you could have no idea this is even happening. Section 2705(b) (Delayed notice) permits courts to issue non-disclosure orders (NDOs) to prevent companies from notifying their customers of the existence of legal process issued under § 2703. To obtain an NDO, the government must show reason to believe that the notification will result in:

  • Endangering the life or physical safety of an individual;
  • Flight from prosecution;
  • Destruction of or tampering with evidence;
  • Intimidation of potential witnesses; or
  • Otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Again, this is a pretty low standard. Although courts have found that companies that receive an NDO have suffered injury in fact to give them standing, challenging an NDO is near impossible because recipients of such orders (typically the tech companies) receive little to no information, leaving them no basis to challenge a magistrate’s finding that disclosure may compromise a criminal investigation. When receiving an NDO, the tech companies only receive the NDO itself, which contains basic form language, and not a copy of the government’s application for the request.

Tech Companies’ Policies

We use technology every day, in our personal lives and in our professional lives. It is most likely that you use one of the following platforms every day:

What do these tech companies do when they receive such requests from the government? All of these companies have customer data request policies and they are almost all exactly the same. I’ve linked to their policies above if you don’t believe me.

One representative example policy is from Apple. Its policy states:

  • Apple will notify customers when their Apple account information is being sought in response to legal process from government, law enforcement, or third parties, except where providing notice is explicitly prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case.
  • Apple will provide delayed notice for emergency disclosures after 90 days barring any exceptions mentioned above.
  • Apple will notify its customers when their Apple account has been restricted/deleted as a result of Apple receiving a court order demonstrating that the account to be restricted/deleted was used unlawfully or in violation of Apple’s terms of service barring any exceptions mentioned above.

It’s a good thing that the standard for tech companies is to notify their customers of any data requests. Unfortunately, whether or not they are allowed to notify their customers is the issue.

Example of A Government Subpoena: Twitter

You are probably thinking, “okay, this seems bad, but does it actually happen to people other than Congressmembers and the Trump family?” The answer: yes, it unfortunately does. For example, a court filing revealed that the Department of Justice (DOJ) had used a grand jury subpoena in late November 2020 to seek subscriber records for a Twitter account that mocks U.S. House of Representatives Congressman Devin Nunes (R-California). When Twitter questioned the legal authority for the subpoena, the prosecutor stated that the investigation was based on federal statute, 18 U.S.C. § 875(c), which makes it a crime to communicate interstate threats to kidnap or harm another person.

The prosecutor did not identify any threatening tweets. Twitter filed a motion to quash the subpoena, stating that the account’s tweets did not reveal any threatening content. Instead, the content related to current events, government policies, and Rep. Nunes. Twitter stated that the subpoena may relate to Rep. Nunes’ “repeated efforts to unmask individuals behind parody accounts critical of him,” which is a huge First Amendment concern.

What Can Companies Do Going Forward?

Companies can take steps to protect themselves and their customers from government subpoenas and NDOs. For companies subject to the Stored Communications Act, one step they can take is to implement a policy of challenging government data requests and NDOs whenever possible. Microsoft has implemented a policy under which it challenges every government request for public sector or enterprise customer data where there is a lawful basis to do so. By implementing a similar policy, companies will gain customer trust and may even deter the government from pursuing subpoenas or NDOs with the fear of pushback. However, implementing this type of policy can be expensive due to the resources needed and legal expenses.

Companies not subject to the Stored Communications Act can implement language into their contracts with their providers who are subject to the Stored Communications Act stating that they must provide notice to them if they receive any requests for their data from the government (assuming that request is not accompanied by an NDO, of course). Contractual provisions provide a more specific basis for providers to challenge an NDO.

What Can You Do To Protect Yourself?

Besides throwing all of your electronics into the ocean and living in the Alaskan wilderness, there is not much you can do to prevent the government from getting your data. However, you can be careful with what you put on social media, what you send through messaging apps, and what information you keep on your phone and your computers. Customers can reach out to the companies and platforms they often use and petition them to implement policies that challenge government requests for customer data. You can also use privacy-focused messaging apps that have end-to-end encryption in order to limit what data the government can access.

Published by Kropf Moseley

Whether you need to take a case to trial, negotiate a resolution without ever setting foot in the courtroom, or navigate a complex public relations problem, we can help. View all posts by Kropf Moseley.