Different types of data require different types of legal process. A company needs to ensure that it is in compliance with constantly changing privacy laws while building transparency and trust with its users. To process data requests, tools or platforms may also need to be designed and developed. A smooth internal communication route across different functions in a company and clear processes play a crucial role. It is ideal to have a diverse law enforcement response team with different skills and backgrounds to ensure all critical elements of the work are covered. It can be challenging and time consuming to try to explore the best work process and detect potential threats all by yourself. Sharing best practices and knowledge across the industry may help the whole of our industry thrive and be safe.
Common U.S. Legal Requests
- Preservation request: 18 U.S.C. § 2703(f) stipulates that upon the request of a governmental entity, a provider of wire or electronic communication services or a remote computing service shall “take all necessary steps to preserve records and other evidence in its possession” while a law enforcement agency is in the preparation of further legal process and investigation. The preservation would take a one-time snapshot of the relevant account information. The records and other evidence would be retained for a period of 90 days and a preservation request could be extended for an additional 90-day period upon a renewed request by the governmental entity. If a third party service provider does not receive formal legal notice for the preserved records and other evidence before the end of the preservation period, it is at the discretion of the third party service provider whether to delete the preserved information.
- Subpoena: A subpoena is a legal document that compels a person or an entity to testify on a particular subject as a witness at a given time and place. It may also require a person or an entity to produce documents or data.
It is common for internet companies to be served with a subpoena and be requested to provide information. As 18 U.S.C. § 2703(c)(2) states, with a subpoena, the governmental entity may request access to basic user and transaction information, including:
- Local and long distance telephone connection records, or records of session times and durations;
- Length of service (including start date) and types of service utilized;
- Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address;
- Means and source of payment for such service (including any credit card or bank account number).
In a civil subpoena, the first name listed is the plaintiff and the name following the “v.” is the defendant, such as Jane Doe v. John Doe. In this example, Jane Doe is the plaintiff and John Doe is the defendant. In a criminal subpoena, the plaintiff is replaced by “The People,” which is the state on behalf of the victim, with the defendant following after the “v.” The case number is also an important indicator: CIV or CV means civil, and CRIM or CR means criminal.
- D order: 18 U.S.C. § 2703(d) – A D order may be issued by any court that is a court of competent jurisdiction and will be issued only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.
According to 18 U.S.C. § 2703(c)(1), a D order can request information beyond what can be disclosed with a subpoena. It provides governmental entities an intermediate procedure between subpoena and search warrant when requesting disclosure of information. It has a higher standard than a subpoena, but does not require probable cause like in a search warrant.
- Search warrant: A search warrant is a court order signed by a judge authorizing a law enforcement agency to search for specific objects or materials at a specified area. The legal threshold for issuing a search warrant is high. A search warrant will only be issued when there is probable cause for a judge to reasonably believe that the search will turn up evidence of a crime. A search warrant allows companies to produce the most sensitive types of data, such as emails and direct messages. The data types are defined in the Electronic Communications Privacy Act (ECPA) as “content” and “non content.” As always, it is important to check with your legal counsel before providing any data. Please also see the section of “Gathering Data” below.
- Non-disclosure order: A non-disclosure order usually accompanies a subpoena or search warrant. It prohibits the provider of electronic communications service or remote computing service from revealing the existence of the subpoena or search warrant. This type of order is usually granted because there is reason to believe that notification of the user of the existence of the legal process will seriously jeopardize the investigation or unduly delay a trial, including giving targets an opportunity to flight from prosecution, destroy or tamper with evidence, intimidate a potential witness, or endanger the life or physical safety of an individual. 18 USC 2705 governs the required elements of a non-disclosure order. In a non-disclosure order, a time period is usually specified to dictate how long the legal process should remain undisclosed from the user. A non-disclosure order renewal is required to extend that period after expiration of the original non-disclosure order.
- Emergency request: An emergency disclosure request allows law enforcement agencies to obtain information in an emergency situation, and it may or may not be supported by legal process (pursuant to 18 USC 2702(b)(8) and 18 USC 2703(c)). For information to be shared under this circumstance, law enforcement agencies must provide facts to prove there is an imminent threat, such as danger of death or serious physical injury, and it requires the immediate disclosure of information to prevent off-platform harm from occurring. Although it is voluntary for a company to act, many do in practice. A best practice is to prepare a pre-established form for law enforcement agencies to fill out when/if an emergency occurs.
- Takedown request: Governmental entities often ask private companies hosting harmful user-generated content to remove, or take down, posted information. These types of requests fall outside of ECPA in that there is no request for user information, simply removal of the reported material. Based on their established policies and procedures, the company hosting the reported material should determine if it is in violation of the terms of service and warrants removal.
Takedown requests are not always related to trust and safety issues. For example, a team may receive a request to remove content based off of the Digital Millennium Copyright Act (DMCA). The DMCA is a US federal law that governs copyright infringement issues. Similar to other types of legal requests, a T&S team should be prepared to receive such court orders and have the requisite policy and procedures in place.
In-depth Look: Microsoft, Legal Requests, and New Guidelines
In April 2016, Microsoft brought a lawsuit against the U.S. government. Microsoft stated that over an 18-month-period, the U.S. government has required that Microsoft maintained secrecy regarding 2,576 legal requests while 68% appeared to contain indefinite demands for secrecy. It effectively prohibited Microsoft from notifying their customers, forever, that the government had accessed their data. Microsoft further argued that it violated the principles established by both the Fourth and First Amendments to the U.S. Constitution.
In October 2017, the Justice Department issued new guidelines limiting its use of indefinite non-disclosure orders and calling for such orders to be issued for defined periods.
Receiving Requests for User Information
There are many different avenues for receiving requests for user data. Most commonly, legal requests are received by U.S. postal mail, email, Corporate Compliance Services (CSC), or web portals. Oftentimes, different law enforcement entities from across the globe will disregard established procedures and try to obtain data outside of these avenues. For instance, a law enforcement officer might simply email a platform and ask for data. It is important to direct all requests to the proper service channels to ensure legal compliance. For U.S.-based companies receiving international legal requests, requesting countries may submit these requests via the U.S. Department of Justice. This process is known as Mutual Legal Assistance Treaty (MLAT).
After receiving a legal request, it is important to confirm its validity and each company may have their own review process. The requests should be in writing and are likely to contain the following information:
- Requesting agency name;
- Court or authority that issued the request;
- Case/investigation/docket number;
- Legal basis for the request;
- Requesting agent name and identification (badge) number;
- Requesting agent employer-issued email address, contact phone number, mailing address (not a P.O. Box);
- Date of request;
- Response date;
- Signature by appropriate issuing authority (i.e., Judge);
- How and to who the data shall be produced
- The unique user identification information for the requested account (format will vary depending on type of service);
- Type of information requested.
As data is gathered for production, there are many factors for consideration. The Electronic Communication Privacy Act of 1986 generally dictates how user information can be shared with law enforcement. One piece of determining what data to produce is understanding the difference between what is considered “content” (18 U.S.C. § 2510(8)) and what is considered “non-content” (U.S.C. § 2703(c)(1) and 18 U.S.C. § 2703(c)(2)). This distinction is important as it outlines the types of data produced and what type of legal process is needed to obtain it. Generally speaking, these categories are:
- Can include but is not limited to any wire, oral or electronic communication, such as the text of an email and social media chat messages (such as Facebook Messenger).
- Can include but is not limited to usernames, email addresses, IP addresses etc. Examples could be the IP address the user has logged in from, their username on the service (such as a Twitter handle) or email address they have on record with the service.
Consequences of Non-Compliance
Failure to respond to legal process such as a subpoena or a search warrant can result in penalties, such as fines.
Companies have different policies on whether to inform their users about the existence of legal requests pertaining to their accounts. Some companies, unless being legally prohibited from doing so, notify their users by default after receiving a legal request. Some companies choose to not disclose such information to their users in certain circumstances such as child safety or non-consensual intimate image sharing.