The Washington PostDemocracy Dies in Darkness

A remarkable new opinion on search warrants for online accounts — and why I think it’s wrong

Placeholder while article actions load

This is my second post on recent decisions in computer search and seizure law by Magistrate Judge John Facciola of the federal court in the District of Columbia. In my first post, I covered Judge Facciola’s opinion denying a warrant on the ground that the government didn’t need one. In this post, I’ll address a more dramatic and important opinion that considers how search warrants for e-mail and social media accounts should be drafted and executed. Judge Facciola’s opinion rejects an approach to e-mail warrants that DOJ has recommended. It then concludes that the Fourth Amendment may require third-party service providers to execute warrants and then pass on the results to the government. I have posted the opinion here: In the Matter of the Search of Information Associated with [redacted] that is Stored at Premises Controlled by Apple, Inc.

This is a long post that will cover the issues in unusual depth, so here’s a roadmap to let you know where I’m going. I’ll start with an introduction to the two-stage computer warrant process and the challenges it poses to executing and drafting warrants. I’ll then turn to the specific issues raised by the drafting and execution of warrants under the Electronic Communications Privacy Act. Third, I’ll cover the approach to drafting such warrants recommended by DOJ’s 2009 manual on searching and seizing computers. Fourth, I’ll address Judge Facciola’s opinion, which holds that DOJ’s recommended approach is unconstitutional and indicates that providers, not the government, must search through digital contents to find evidence. Fifth, I’ll explain why I find Judge Facciola’s opinion unpersuasive both on the law and as a matter of practice.

I. An Introduction to the Two-Stage Computer Warrant Process

A basic problem in computer search and seizure law is that computers can store an incredible amount of information. Evidence of crime and personal items are often mixed together. When the government has a search warrant to search for electronically-stored evidence, it often takes a great deal of time — days, weeks, or even longer — to sort through the contents of a computer to find the responsive materials. The government is looking for a needle in the haystack, and finding the needle can take a long time.

When the government wants to execute a warrant for electronic information stored at a suspect’s home, the practicalities of computer search and seizure generally require breaking the execution of the warrant into two steps. A traditional physical search has a single cycle. First the police search for the evidence, and then they seize it. It’s search, then seizure. Because computer searches take so much time, however, the process has to be divided into two cycles. First there is a physical search, followed by a physical seizure of the electronic storage devices. Second, there is an electronic search through the seized electronic data and a subsequent seizure of the relevant electronic evidence. It’s physical search, physical seizure; then electronic search, electronic seizure.

Courts have approved this two-cycle search process as constitutionally reasonable under the Fourth Amendment. Here’s a representative quote from a Ninth Circuit opinion, which was in turn quoting a trial court opinion by Judge Kozinski:

[T]he process of searching the files at the scene can take a long time. To be certain that the medium in question does not contain any seizable material, the officers would have to examine every one of what may be thousands of files on a disk — a process that could take many hours and perhaps days. Taking that much time to conduct the search would not only impose a significant and unjustified burden on police resources, it would also make the search more intrusive. Police would have to be present on the suspect’s premises while the search was in progress, and this would necessarily interfere with the suspect’s access to his home or business. If the search took hours or days, the intrusion would continue for that entire period, compromising the Fourth Amendment value of making police searches as brief and non-intrusive as possible.

United States v. Hill, 459 F.3d 966, 974-75 (9th Cir. 2005).

So that’s the practice of executing computer warrants. What does it mean for how warrants should be drafted? As I explained in a 2005 article, Search Warrants in an Era of Digital Evidence, the bifurcation into a two-cycle process for computer searches raises a lot of interesting questions about how to draft warrants for digital evidence. The Fourth Amendment states that warrants must particularly describe the place to be searched and the things to be seized. The problem is that the place to be searched and the things to be seized at the physical search stage are very different from the place to be searched and the things to be seized at the electronic search stage. When drafting a warrant, should agents describe the search and seizure at the physical stage, the electronic stage, or both?

To see the problem, imagine the government has probable cause to believe that there are images of child pornography stored in a computer at 123 Main Street. With a traditional physical search, the warrant would just say, “Go to 123 Main Street and seize the child pornography there.” But with computers, you can’t tell which electronic storage device might have the images, and it takes too long to search the computers on site. Agents need to seize the computers, take them back to the government lab, and then later on search them for the child pornography. So how should the warrant describe the place to be searched and the things to be seized? The warrant could just describe the physical search stage. Such a warrant might say, “Go to 123 Main Street and seize computers found there.” Alternatively, you could have the warrant just describe the electronic search stage. Such a warrant might say, “Go get the seized computer and search it for images of child pornography.” But if the warrant focuses exclusively on just the physical search stage or the electronic search stage, it’s missing the other half of the search.

In my 2005 article, I recommended that warrants for electronic evidence should explicitly cover both stages. That is, warrants should state with particularity where the police will go and what they will take at the physical stage and what the police will do at the electronic stage. But that was just my recommendation. Most computer warrants today somewhat sloppily blend the two stages together. For example, it’s common for computer warrants to describe the place to be searched as the physical place (“123 Main Street”) and to then describe the items to be seized as a blend of the physical and electronic (“any computers that contain child pornography”). The affidavit will then include an explanation that the agents plan to execute the warrants in two stages, and that they will seize all computers at the physical stage and later search all the seized computers for child pornography at the electronic search stage. It’s a little strange to include that in the affidavit rather than the warrant itself, but courts have so far upheld the practice.

II. The Specific Issue of Warrants For the Contents of Online Accounts

Judge Facciola’s new opinion deals with a factual variation on this problem. Specifically, it deals with how the government should draft and execute warrants for the contents of remotely stored online accounts. Maybe the government wants a warrant to obtain stored e-mails from Google, or documents stored in an the cloud in a Dropbox account, or messages from a Facebook account. The precedents so far say that the contents of such accounts are protected by the Fourth Amendment. The question is, how should warrants for those accounts be executed, and what should the warrants say?

Warrants for remotely-stored contents raise some unique issues because the information is held by third party providers. The third-party provider has possession of the account contents and no involvement in the crime, so the government can go through the provider and get the information directly from the provider. And clearly this is a better way to execute the warrant. We wouldn’t want the government breaking into corporate headquarters and searching the servers directly. Instead, the government can execute the warrant more like a subpoena. It can send the warrant to the provider and have the provider send back the relevant information. See generally United States v. Bach, 310 F.3d 1063 (8th Cir. 2002) (approving such as procedure as constitutionally reasonable).

Despite this difference, warrants for remote accounts still raise the screening problem. A typical Gmail account has more than 17,000 stored messages, so once again someone needs to go through all those messages and find what is responsive to the warrant. Because going through all those files can take a really long time, that work is done by agents rather than the providers. Warrants for e-mail accounts traditionally ask for the whole account, and the provider then sends the account information in a CD or some other form of electronic storage. Agents then search the CD just as they would if they had seized the CD from the suspect’s home.

III. DOJ Recommends a Two-Step Description of the Items to be Seized for ECPA Warrants

Now consider how to draft warrants for these third-party searches. In 2009, my old section at the Justice Department, the Computer Crime and Intellectual Property Section, published a revised version of its influential manual on computer crime investigations, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. [Full disclosure: I wrote the first version of the manual, published in 2001, when I was at DOJ.] The 2009 manual included a new “go by” — that is, a model example for agents and prosecutors in the field to “go by” — handling the specific case of search warrants obtained for account records held by Internet providers.

The manual recommends that the “place to be searched” for such warrants should be described as follows:

This warrant applies to information associated with [EMAIL ACCOUNT] that is stored at premises owned, maintained, controlled, or operated by [EMAIL PROVIDER ], a company headquartered at [ADDRESS].

Note that the description of the place to be searched is a bit vague. Instead of saying where the information is located, the warrant just says that it “applies to information associated with” the provider that is stored at premises somewhere controlled or operated by it.

The manual then recommends a two-step answer to the description of the items to be seized. The first part of the description of the things to be seized explains what information the third-party provider will hand over to the government:

I. Information to be disclosed by [EMAIL PROVIDER]
To the extent that the information described in Attachment A is within the possession, custody, or control of [EMAIL PROVIDER], [EMAIL PROVIDER] is required to disclose the following information to the government for each account or identifier listed in Attachment A:
a. The contents of all emails stored in the account, including copies of emails sent from the account;
b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the ac- count was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of pay- ment (including any credit or bank account number);
c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files;
d. All records pertaining to communications between [EMAIL PROVIDER] and any person regarding the account, including contacts with sup- port services and records of actions taken.

The description of the things to be seized then has a part II, which explains what the government will actually look for and copy when it reviews the information handed over to the government:

II. Information to be seized by the government
All information described above in Section I that constitutes fruits, evidence and instrumentalities of violations of the statutes listed on the warrant involving [SUSPECT] since [DATE], including, for each account or identifier listed on Attachment A, information pertaining to the following matters:
a. [Insert specific descriptions of the electronic mail which your probable cause supports seizure and copying of; examples: “the sale of illegal drugs” “a threat to bomb a laboratory,” “communications between John and Mary,” “preparatory steps taken in furtherance of the scheme”. Tailor the list to items that would be helpful to the investigation.]
b. Records relating to who created, used, or communicated with the account.

Note that the DOJ warrant is clear that it is contemplating a two-cycle search process. First the provider hands over the files to the government. Next, the government scans through the files and copies the material that is responsive to the warrant.

IV. Judge Facciola Rules that DOJ’s Approach is Unconstitutional, and that Providers Must Perform the Screening

For the three readers still following me — hi mom! — we’re finally ready for Judge Facciola’s new opinion. In this case, the government has applied for an ECPA warrant to be served on Apple for e-mails that are evidence of illegal kickbacks in an investigation into a defense contractor. The warrant pretty much follows the form of the DOJ manual, with one limiting element: The warrant only seeks records from December 2013 to the present. Other than that, the application closely tracks the language from the 2009 DOJ manual.

In his decision, Judge Facciola denies the warrant, orders the government to stop relying on the 2009 manual language, and then very strongly suggests — without quite holding — that the Fourth Amendment requires Apple, not the government, to screen the account information for the evidence sought. Judge Facciola reasons that when the government obtains the entire contents of the account for the three months covered by the warrant, the entire contents are seized. But this is unconstitutional, Judge Facciola holds, because it then allows a subsequent general exploratory rummaging through the entirety of the suspect’s account. To avoid this exploratory rummaging, Facciola argues, there must be a procedure for executing e-mail warrants that better protects the privacy of suspects and keeps irrelevant materials away from the government.

Judge Facciola concludes that the best way — and perhaps the only way — to execute e-mail warrants is for the provider to do the screening for relevant evidence:

[T]his Court can see no reasonable alternative other than to require the provider of an electronic communications service to perform the searches. Under the government’s demand that it be given everything, the government leaves the Court with only two options: deny the warrants — thus depriving the government of needed information — or issue warrants that are repugnant to the Fourth Amendment. Neither is viable.
Thus, having an electronic communication service provider perform a search, using a methodology based on search terms such as date stamps, specific words, names of recipients, or other methodology suggested by the government and approved by the Court seems to be the only way to enforce the particularity requirement commanded by the Fourth Amendment.

This rule is feasible, Judge Facciola suggests, because service providers are sophisticated companies that often respond to subpoenas. If providers can respond to subpoenas, then they can screen through information under warrants:

[D]espite any government protestation, a subpoena served on a third party, such as a bank, compels that entity to look within a record set for the particular documents sought. E-mail providers like Apple are technologically sophisticated actors; in fact, one of Apple’s main competitors, Google, has created an entire business model around searching the contents of e-mail in order to deliver targeted advertising, and it has done so for a decade. [citation omitted] There is no reason to believe that Apple or any other entity served with a warrant is incapable of doing what entities responding to subpoenas have done under common law.

V. Why I Find Judge Facciola’s Opinion Unpersuasive

Judge Facciola’s reasoning has two basic parts. First, there is his view that providers must execute the warrants and do the screening. Second, there is his view that the two-stage search procedure is unconstitutional, at least absent some sort of special protections against widespread rummaging. I’ll cover each in turn.

First, Judge Facciola’s belief that Internet providers can readily do the screening work to execute warrants strikes me as highly unpersuasive. Internet providers aren’t and shouldn’t be trained law enforcement officers, so they will have no idea how to find the evidence. To the extent Judge Facciola has a different view, I think he doesn’t fully appreciate the difficulty of executing warrants for electronic information.

Take the facts of this case. Imagine the e-mail account has 20,000 e-mails, and the warrant is for records of illegal kickbacks and conspiracy. How is Apple supposed to find that evidence? Do they do a search for “kickback” and “conspiracy” and call it a day? Do they read each e-mail multiple times, looking for patterns, code words, and hints of illegality? Apple could have an employee search for five minutes or five months: Which does the Fourth Amendment require? When does the government know that the account has been sufficiently searched?

Judge Facciola’s opinion addresses this in passing when he suggests that the government should have to propose — and the magistrate should have to approve — a search protocol for each warrant that the provider will then implement. But courts have repeatedly rejected a requirement of search protocols for computer searches for good practical reasons. You simply never know what protocols are the ones that will recover the evidence sought. Finding information that is responsive to a warrant is an art, not a science.

Again, take the facts of this case. Maybe the suspects in this case are dumb and they wrote things in their e-mail such as, “let’s engage in a conspiracy to commit a criminal kickback scheme that is a felony crime!” If so, a keyword search for terms like “conspiracy” and “kickback” will retrieve at least some of the evidence. But maybe the suspects are more savvy, and they used code words that a keyword search won’t easily identify. How is a magistrate judge supposed to know? Without knowing what information is in the account and how the information was stored, how is the magistrate judge supposed to know when to approve a particular protocol to retrieve information?

Part of the problem is that you never know when a search is done. Let’s say that a approved protocol returns 50 e-mails that show evidence of some crime, but that the government believes that a more complete search protocol will reveal another 500 e-mails that prove that the conspiracy was much broader than the 50 e-mails show. How is the magistrate supposed to know when such a protocol is justified? Is the magistrate supposed to decide how important it is for the government to prove the broader conspiracy, the privacy risks, and the likely benefit, and to enter a ruling on whether that magistrate believes that the broader protocol is justified? If the government believes that the magistrate was wrong to deny its request for a greater protocol, can the government appeal the denial to the district court or circuit court? Oy, what a mess.

Judge Facciola suggests that companies can screen through the information because they’re able to respond to subpoenas. The analogy fails because companies respond to subpoenas for their own records, not for someone else’s records. Companies presumably know where their own records are, so they are well equipped to find those records. But if you’re a major Internet provider, you may have hundreds of millions of customers with their own accounts. You have no particular idea how to find information about illegal kickbacks or conspiracies in the account of one of your customers. Internet providers may be technologically advanced, but they can’t work magic.

Beyond practical objections, I also think that Judge Facciola’s view that providers must execute the warrants is hard to square with Supreme Court case law. In particular, it seems contrary to the Supreme Court’s decision in Zurcher v. Stanford Daily, 436 U.S. 547 (1978). In Zurcher, the government obtained and executed a warrant to search a newspaper office to seize photographs of a crime scene that a reporter had obtained in the course of gathering news for a story. The newspaper then filed a lawsuit claiming that the Fourth Amendment imposes special rules for third-party searches. When evidence is stored with a neutral third party, the newspaper argued, the government shouldn’t be allowed to just go and execute a warrant just like it would at a suspect’s home. Instead, the newspaper argued, the government had to issue a subpoena on the third party. That way, the third party could go through its stuff in response to the subpoena, which would be much less invasive than a direct search by the government.

But the Supreme Court disagreed. According to the majority opinion by Justice White, it was irrelevant that the information was stored with a neutral third party:

[I]t is untenable to conclude that property may not be searched unless its occupant is reasonably suspected of crime and is subject to arrest. And . . . it is difficult to understand why the Fourth Amendment would prevent entry onto [a third party’s] property to recover evidence of a crime not committed by them but by others. As we understand the structure and language of the Fourth Amendment and our cases expounding it, valid warrants to search property may be issued when it is satisfactorily demonstrated to the magistrate that fruits, instrumentalities, or evidence of crime is located on the premises. The Fourth Amendment has itself struck the balance between privacy and public need, and there is no occasion or justification for a court to revise the Amendment and strike a new balance by denying the search warrant in the circumstances present here and by insisting that the investigation proceed by subpoena duces tecum, whether on the theory that the latter is a less intrusive alternative or otherwise.

Zurcher‘s rejection of special Fourth Amendment rules when a neutral third-party possesses the evidence seems hard to square with Judge Facciola’s opinion. Under Zurcher, the possibility that the third-party can do the screening itself has no apparent Fourth Amendment significance. Of course, the third-party can play a role in helping the government execute the warrant. But Zurcher seems to reject the idea that the Fourth Amendment requires the third-party to do the work in an effort to minimize the invasiveness of the search.

Once you reject the idea that providers must execute the warrant for the government, we’re left with the question of whether courts should allow a two-stage search warrant process for computer searches. The proposed DOJ warrant makes the two-stage warrant process clear: The government gets the CD with all the account files, and it then searches the CD just like it might search a CD seized from the suspect’s home.

Should this be allowed? I think the answer is yes for the reasons stated by Judge Kozinski in Hill: The process of screening through the evidence is just too time-consuming to do it on-site. Just as a practical matter, the only realistic alternative is to allow the government to get all the files and then search them. More broadly, whether this two-stage process is allowed for e-mail warrants would seem to depend on the broader question of whether it is allowed for physical-computer warrants. Once you remove the option of a search by the provider, it collapses into the same issue and requires the same answer.

At this point, some readers will object: But wait a minute, doesn’t that mean that the government can look through an incredible amount of private information? And under the plain view exception, won’t that let the government see and perhaps use lots of other stuff found in the account? I certainly recognize the problem, but the key is finding the best answer to it. In my view, the best answer is abolishing the plain view exception for digital searches, as I argued a while back in Searches and Seizures in a Digital World, 119 Harv. L.Rev. 531 (2005). Under my approach, the warrant would authorize the government to look anywhere in the account for the information described in the warrant. But the government would only be allowed to use — and, under a Rule 6(e)-like statutory restriction, disclose — electronic evidence that falls within the scope of the warrant.

Once you adopt that approach, then the best practices recommended in the DOJ 2009 manual seems quite sound. It is clear and transparent about how the two-stage process works: It particularly describes the property to be seized both at the initial data acquisition stage and the subsequent electronic search stage. It’s the same basic idea I recommended in my 2005 article on drafting warrants for digital evidence. Given that, I think the DOJ warrant approach is the best of the available options. If Judge Facciola’s decision is appealed, I hope that the District Court will reverse.