Apple says it is tightening its rules on subpoenas, but I don't get it: If Apple says it will only give records relating to 25 accounts per subpoena, doesn't the govt just issue more subpoenas? Subpoenas don't require cause. news.trust.org/item/202106112…
Oh, you want records from 73 accounts? We have had enough: From now on, you must attach three .pdfs, not one .pdf.
It's possible that what Apple is trying to do is limit two-step orders. For example, say DOJ serves an order on Apple for the records of target 1, wanting to know who target 1 has communicated with. It next wants the records of the people who communicated with target 1. /1
It's possible that what Apple is doing is limiting how many step 2 records it will give up in the one-step subpoena: "We'll tell you who target 1 has communicated with, and then records of up to 25 of those people." /2
Maybe it's a way of slowing DOJ down, making them get more rounds of subpoenas? Not sure. I think multi-step orders could use some legislative attention, fwiw, although I don't know if that is what is happening here. /3
Here it is in Apple’s published law enforcement guidelines —“due to system limitations,” it says. apple.com/legal/privacy/…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Reporters looking into the Schiff and McGhan investigations should be making sure that when they report about “subpoenas,” they actually mean subpoenas and not 18 U.S.C. § 2703(d) orders (which are served like subpoenas). The latter are a lot more invasive than the former.
To make a long ECPA short, subpoenas are largely unregulated but can’t (in the Internet context) get the govt much. An account name, IP addresses it was assigned, not much else. /1
But 2703(d) orders are more like warrants: a judge needs to sign off on it and its showing of cause. And it can get all non-content transactional records of the account, like who you contacted and when. /2
A longish thread on Van Buren: Where does it leave the CFAA?
Here's a first cut.
The computer hacking statute, the CFAA, prohibits two things: access without authorization, and exceeds authorized access. Access without authorization is understood to require some kind of breaking in. The question here is whether exceeds authorized access does, too.
As I read the new decision, the Court says yes -- exceeding authorized access also requires some breaking in. The court agrees with the defendant's claim that the two prohibitions are similar -- at just different stages. The Court calls this a "gates-up-or-down" inquiry.
There's a lot to be said about the traffic stop of Lieutenant Caron Nazario, but one of them is that it makes this 2015 blog post unfortunately relevant again:
"Sandra Bland and the 'Lawful Order’ Problem."
(Given the paywall, I'll include screenshots.) washingtonpost.com/news/volokh-co…
The interview above was recorded in 1997, and none of it has ever been shown outside my family before. At some point I'm going to make a full length edited video of it to post on Youtube (it was 5+ hours long, so it needs to be shortened). But, for now, this excerpt.
When a father consented to a search of his "son's account" on their jointly used computer, investigators exceeded the scope of consent when they searched the recycle bin, which included files from multiple users. Child porn found there is suppressed. wicourts.gov/ca/opinion/Dis…#N
The forensic tool used to search the computer grouped the deleted files from all accounts in the same place, the recycle bin, without indicating from which account a particular file had originated. Acc to the court, using the tool to search that was beyond the scope of consent.
This case touches on a question that I cover in my computer crime law casebook and discuss in my class: How do you apply consent principles to computer searches when people consent in regular-user-speak but forensic analysts think in forensic-tool-speak?