Government Wins Latest Chapter In ECPA Skirmish Involving WikiLeaks

Published On November 14, 2011 | By Randy Sabett | General, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On Thursday, November 11, Judge Liam O’Grady, U.S. District Court for the Eastern District of Virginia upheld a magistrate judge’s order that the Stored Communications Act (“SCA”) (18 U.S.C. §§ 2701 et seq.))  (Title II of the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. §§ 2510 et seq.)) entitles the DOJ to non-content information related to Twitter accounts used by three different people associated with WikiLeaks (the “Twitter Order”).

The government sought only non-content information from Twitter under the SCA standard set forth in section 2703(d). That section authorizes disclosure of communications records upon a showing of specific and articulable facts that there are reasonable grounds to believe the information sought is relevant and material to an ongoing investigation.  This statutory standard, while still requiring judicial review, is lower than the probable cause showing required to obtain a warrant under the Fourth Amendment because the information being sought is non-content electronic records.

In this latest ruling, Judge O’Grady denied all of the WikiLeaks Petitioners claims, including the most significant matter of their First and Fourth Amendment challenges. The two most persuasive facts for the Court were that (a) the WikiLeaks Petitioners had voluntarily provided their Internet Protocol (“IP”) address to third parties and could not, therefore, claim any kind of Fourth Amendment or First Amendment violation and (b) the WikiLeaks Petitioners had signed up to the Twitter Terms of Use (“TOU”) that incorporated the Twitter Privacy Policy and that under those terms they knew their information could be turned over to the government.

The WikiLeaks Petitioners claimed that warrantless disclosure of their Internet Protocol (IP) addresses would inappropriately reveal information “about the interior of Petitioners homes” and, thereby violate the Fourth Amendment.  The Court rejected this reasoning, holding instead that the third-party doctrine applies in this case because the WikiLeaks Petitioners had to agree to the Twitter Terms of Use and Privacy Policy.  By agreeing to such terms, they were informed that their IP addresses were being shared with and would be further retransmitted by Twitter. “A person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,” the Court noted. “Instead of withdrawing their IP address information from public view, Petitioners transmitted their IP address information out of any private spaces and onto the Internet” thereby exposing their IP addresses to any machines that would have been involved in routing their Internet traffic.

The Court used a similar analysis to reject the WikiLeaks Petitioners First Amendment challenge, which contended that “the Twitter Order has chilled their rights of association and speech.”  The court pointed to the fact that “any ‘chilling effect’ of the Twitter Order could be no more severe than that created by Petitioners’ own actions.”

The facts justifying the order remain under seal.  The Court held that the U.S. interest in protecting its ongoing investigation outweighs the interests favoring disclosure.  Specifically, the docket sheet and the application for the Twitter Order in the case would disclose significant detail about the investigation and make it easy to guess the probably subject matter and targets of the otherwise secret grand jury investigation. However, the Court did find that the “factual basis for the Twitter Order was significantly more concrete than the ‘mere speculation’ or ‘blind request’ that Petitioners complain of” and that the information sought was “clearly material to establishing key facts related to an ongoing investigation, and would have assisted a grand jury.”

This ruling by the Eastern District of Virginia attempts to draw an appropriate balance in the ongoing battle between law enforcement and Internet criminals.  The Court recognized the importance of protecting privacy, but found that increasingly sophisticated and powerful technology makes investigatory efforts by law enforcement more difficult.  The court noted that 2703 orders do require pre-issuance judicial review, and special notice and hearing opportunities under certain circumstances.

It must be reiterated that in this case only non-content information was released (e.g., information relating to name, address, connection information, telephone number or network address, or method of payment).  Arguably, law enforcement is entitled to such information in order to properly do its job.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.

Leave a Reply

Your email address will not be published. Required fields are marked *