Given technological and legal change in the last 20 years, the biggest problem with the Stored Communications Act is not how little protection it offered contents, but how it excludes most non-content data from protection at all.
The SCA is often criticized for not protecting all contents of communications (like emails) with a warrant protection. Big problem in theory, but less so in practice: 4th Amendment caselaw requires warrants, and providers won’t turn over contents w/o a warrant as a result.
The bigger problem, I think — one that gets little attention — is that the statute is only designed to give rights in non-content data for messaging (ECS) and cloud storage (RCS) services. But today websites store a lot of data about users outside those services.
See the quote tweet at the beginning of the thread, about how much data Amazon has about users. Off the top of my head, I’d say that’s outside the SCA’s protection, meaning that the government can get with a subpoena. No need to go to a judge, and no need to establish cause.
We haven’t seen this often in cases yet, but I suspect it will: It will be like getting bank and credit card statements, but for popular websites. Would make sense, I think, to expand the SCA to extend its 2703d “reasonable suspicion” protections to that data. /end
• • •
Missing some Tweet in this thread? You can try to
force a refresh
A little inside baseball, but one of the many puzzling aspects of the Amy Chua situation at Yale (which every “New York”-titled publication is required to cover) is the apparent sense that she has nearly unbounded abilities to get students top clerkships.
I can’t tell if it’s just Yale student lore, or if it’s real. If it’s real, perhaps reflecting Yale’s weird limit on letting students prove themselves on blind-graded exams, so they feel they have to rely on faculty connections willing to go to bat for them? I don’t know.
And if it’s not real, where does the impression come from?
Reporters looking into the Schiff and McGhan investigations should be making sure that when they report about “subpoenas,” they actually mean subpoenas and not 18 U.S.C. § 2703(d) orders (which are served like subpoenas). The latter are a lot more invasive than the former.
To make a long ECPA short, subpoenas are largely unregulated but can’t (in the Internet context) get the govt much. An account name, IP addresses it was assigned, not much else. /1
But 2703(d) orders are more like warrants: a judge needs to sign off on it and its showing of cause. And it can get all non-content transactional records of the account, like who you contacted and when. /2
Apple says it is tightening its rules on subpoenas, but I don't get it: If Apple says it will only give records relating to 25 accounts per subpoena, doesn't the govt just issue more subpoenas? Subpoenas don't require cause. news.trust.org/item/202106112…
Oh, you want records from 73 accounts? We have had enough: From now on, you must attach three .pdfs, not one .pdf.
It's possible that what Apple is trying to do is limit two-step orders. For example, say DOJ serves an order on Apple for the records of target 1, wanting to know who target 1 has communicated with. It next wants the records of the people who communicated with target 1. /1
A longish thread on Van Buren: Where does it leave the CFAA?
Here's a first cut.
The computer hacking statute, the CFAA, prohibits two things: access without authorization, and exceeds authorized access. Access without authorization is understood to require some kind of breaking in. The question here is whether exceeds authorized access does, too.
As I read the new decision, the Court says yes -- exceeding authorized access also requires some breaking in. The court agrees with the defendant's claim that the two prohibitions are similar -- at just different stages. The Court calls this a "gates-up-or-down" inquiry.
There's a lot to be said about the traffic stop of Lieutenant Caron Nazario, but one of them is that it makes this 2015 blog post unfortunately relevant again:
"Sandra Bland and the 'Lawful Order’ Problem."
(Given the paywall, I'll include screenshots.) washingtonpost.com/news/volokh-co…